On Mon, May 18, 2026 at 10:11:04AM +0100, Simon Horman wrote:
> > @@ -319,6 +319,9 @@ static int nfc_llcp_getsockopt(struct socket *sock, int
> > level, int optname,
> > if (get_user(len, optlen))
> > return -EFAULT;
> >
> > + if (len < sizeof(u32))
> > + return -EINVAL;
>
> Since len is a signed int and sizeof(u32) is an unsigned size_t, does C
> integer promotion cause negative lengths to bypass this check?
Good catch, you're right. `len` is `int` and might get promoted to unsigned in
the
comparison, so optlen = -1 becomes a huge value and slips past the check, then
min_t(u32, ...) clamps it back to 4 and the overflow happens anyway.
I'll fix this in v2 by casting:
if (len < (int)sizeof(u32))
return -EINVAL;
