scsi: libfc: Prevent integer overflow in fc_fcp_recv_data()

Dan Carpenter · martinkpetersen · commit 120642726ecb · 2025-10-06T22:27:28.000-04:00
The "offset" comes from the skb->data that we received. Here the code is verifying that "offset + len" is within bounds however it does not take integer overflows into account. Use size_add() to be safe. This would only be an issue on 32bit systems which are probably a very small percent of the users. Still, it's worth fixing just for correctness sake. Fixes: 42e9a92 ("[SCSI] libfc: A modular Fibre Channel library") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Message-Id: <aNvPMet7TPtM9CY1@stanley.mountain> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
diff --git a/drivers/scsi/libfc/fc_fcp.c b/drivers/scsi/libfc/fc_fcp.c
@@ -503,7 +503,7 @@ static void fc_fcp_recv_data(struct fc_fcp_pkt *fsp, struct fc_frame *fp)
 		host_bcode = FC_ERROR;
 		goto err;
 	}
-	if (offset + len > fsp->data_len) {
+	if (size_add(offset, len) > fsp->data_len) {
 		/* this should never happen */
 		if ((fr_flags(fp) & FCPHF_CRC_UNCHECKED) &&
 		    fc_frame_crc_check(fp))

Original file line number	Diff line number	Diff line change
`@@ -503,7 +503,7 @@ static void fc_fcp_recv_data(struct fc_fcp_pkt fsp, struct fc_frame fp)`
`503`	`503`	`host_bcode = FC_ERROR;`
`504`	`504`	`goto err;`
`505`	`505`	`}`
`506`		`- if (offset + len > fsp->data_len) {`
	`506`	`+ if (size_add(offset, len) > fsp->data_len) {`
`507`	`507`	`/* this should never happen */`
`508`	`508`	`if ((fr_flags(fp) & FCPHF_CRC_UNCHECKED) &&`
`509`	`509`	`fc_frame_crc_check(fp))`