projects
/
platform
/
adaptation
/
renesas_rcar
/
renesas_kernel.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
13fff2f
)
nfs: check for integer overflow in decode_devicenotify_args()
author
Dan Carpenter
<dan.carpenter@oracle.com>
Thu, 12 Jan 2012 07:16:14 +0000
(10:16 +0300)
committer
Trond Myklebust
<Trond.Myklebust@netapp.com>
Thu, 12 Jan 2012 21:30:07 +0000
(16:30 -0500)
On 32 bit, if n is too large then "n * sizeof(*args->devs)" could
overflow and args->devs would be smaller than expected.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
fs/nfs/callback_xdr.c
patch
|
blob
|
history
diff --git
a/fs/nfs/callback_xdr.c
b/fs/nfs/callback_xdr.c
index
726e59a
..
d50b274
100644
(file)
--- a/
fs/nfs/callback_xdr.c
+++ b/
fs/nfs/callback_xdr.c
@@
-305,6
+305,10
@@
__be32 decode_devicenotify_args(struct svc_rqst *rqstp,
n = ntohl(*p++);
if (n <= 0)
goto out;
+ if (n > ULONG_MAX / sizeof(*args->devs)) {
+ status = htonl(NFS4ERR_BADXDR);
+ goto out;
+ }
args->devs = kmalloc(n * sizeof(*args->devs), GFP_KERNEL);
if (!args->devs) {