From 16d683c4bb5eb68fd282a83483b701a4a01a5fd9 Mon Sep 17 00:00:00 2001
From: Nikita <50876734+HYUEHFJKhfjklkej@users.noreply.github.com>
Date: Thu, 10 Oct 2024 16:18:38 +0300
Subject: [PATCH] Update send.c

Why These Changes Fix the OOB Issue Without Changing Functionality:

Preventing OOB Writes: By limiting write_size, we ensure that each call to kernel_write does not exceed the maximum allowed size, preventing potential OOB writes in lower-level functions.
Handling Large len Values: The loop now correctly handles large len values by writing in chunks of at most MAX_RW_COUNT bytes, avoiding integer overflows.
Safe Pointer Arithmetic: The calculation buf + pos remains within the bounds of the buffer because pos is carefully managed and checked for overflows.
Consistent Behavior: The core logic and behavior of the function are preserved. It writes data from buf to filp until all len bytes are written, handling partial writes and errors appropriately.
---
 fs/btrfs/send.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 27306d98ec43..7c70a4f02b40 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -641,15 +641,19 @@ static struct btrfs_path *alloc_path_for_send(void)
 
 static int write_buf(struct file *filp, const void *buf, u32 len, loff_t *off)
 {
-	int ret;
+	ssize_t ret;
 	u32 pos = 0;
 
 	while (pos < len) {
-		ret = kernel_write(filp, buf + pos, len - pos, off);
+		u32 write_size = min_t(u32, len - pos, MAX_RW_COUNT);
+		ret = kernel_write(filp, buf + pos, write_size, off);
 		if (ret < 0)
 			return ret;
 		if (ret == 0)
 			return -EIO;
+		if (pos > UINT_MAX - ret)
+			return -EOVERFLOW;
+		
 		pos += ret;
 	}