An integer overflow in nvlist size calculation could lead to under-allocation and heap buffer overflow.
Signed-off-by: Timo tp Preißl <[email protected]> --- fs/zfs/zfs.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/zfs/zfs.c b/fs/zfs/zfs.c index 410a61aa611..624f4e48cc8 100644 --- a/fs/zfs/zfs.c +++ b/fs/zfs/zfs.c @@ -1627,7 +1627,10 @@ zfs_nvlist_lookup_nvlist(char *nvlist, char *name) * nvlist to hold the encoding method, and two zero uint32's after the * nvlist as the NULL terminator. */ - ret = calloc(1, size + 3 * sizeof(uint32_t)); + if (__builtin_add_overflow(size, 3 * sizeof(uint32_t), &alloc)) + return 0; + + ret = calloc(1, alloc); if (!ret) return 0; memcpy(ret, nvlist, sizeof(uint32_t)); -- 2.43.0
