[PATCH] staging: lustre: check for integer overflow

Vitaly Osipov Sat, 26 Apr 2014 08:08:46 -0700

In ll_ioctl_fiemap(), a user-supplied value is used to calculate a
length of a buffer which is later allocated with user data.


Signed-off-by: Vitaly Osipov <vitaly.osi...@gmail.com>
---
 drivers/staging/lustre/lustre/llite/file.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/staging/lustre/lustre/llite/file.c 
b/drivers/staging/lustre/lustre/llite/file.c
index 3efda25..e923978 100644
--- a/drivers/staging/lustre/lustre/llite/file.c
+++ b/drivers/staging/lustre/lustre/llite/file.c
@@ -1745,6 +1745,10 @@ static int ll_ioctl_fiemap(struct inode *inode, unsigned 
long arg)
        if (get_user(extent_count,
            &((struct ll_user_fiemap __user *)arg)->fm_extent_count))
                return -EFAULT;
+
+       if (extent_count >=
+           (SIZE_MAX - sizeof(*fiemap_s)) / sizeof(struct ll_fiemap_extent))
+               return -EINVAL;
        num_bytes = sizeof(*fiemap_s) + (extent_count *
                                         sizeof(struct ll_fiemap_extent));
 
-- 
1.7.9.5

_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH] staging: lustre: check for integer overflow

Reply via email to