UBI: fix out of bounds write
authorBrian Norris <computersforpeace@gmail.com>
Sat, 28 Feb 2015 10:23:26 +0000 (02:23 -0800)
committerRichard Weinberger <richard@nod.at>
Thu, 26 Mar 2015 11:07:17 +0000 (12:07 +0100)
If aeb->len >= vol->reserved_pebs, we should not be writing aeb into the
PEB->LEB mapping.

Caught by Coverity, CID #711212.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
drivers/mtd/ubi/eba.c

index 16e34b3..8c9a710 100644 (file)
@@ -1419,7 +1419,8 @@ int ubi_eba_init(struct ubi_device *ubi, struct ubi_attach_info *ai)
                                 * during re-size.
                                 */
                                ubi_move_aeb_to_list(av, aeb, &ai->erase);
-                       vol->eba_tbl[aeb->lnum] = aeb->pnum;
+                       else
+                               vol->eba_tbl[aeb->lnum] = aeb->pnum;
                }
        }