projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 98e9685)
nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
authorXi Wang <[email protected]>
Thu, 9 Feb 2012 01:13:37 +0000 (17:13 -0800)
committerLinus Torvalds <[email protected]>
Thu, 9 Feb 2012 03:03:51 +0000 (19:03 -0800)
nsegs is read from userspace.  Limit its value and avoid overflowing nsegs
* sizeof(__u64) in the subsequent call to memdup_user().

This patch complements 481fe17e973fb9 ("nilfs2: potential integer overflow
in nilfs_ioctl_clean_segments()").

Signed-off-by: Xi Wang <[email protected]>
Cc: Haogang Chen <[email protected]>
Acked-by: Ryusuke Konishi <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
fs/nilfs2/ioctl.c patch | blob | history

diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 886649627c3d68d568914ee3d88983cbebcf08a5..2a70fce70c65be1151783e3aba3c221e39642ba7 100644 (file)
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
        nsegs = argv[4].v_nmembs;
        if (argv[4].v_size != argsz[4])
                goto out;
+       if (nsegs > UINT_MAX / sizeof(__u64))
+               goto out;
 
        /*
         * argv[4] points to segment numbers this ioctl cleans.  We
John Crispins staging tree