diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2012-01-12 10:16:14 +0300 |
|---|---|---|
| committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2012-01-12 16:30:07 -0500 |
| commit | 363e0df057ea8da539645fe4c3c227e3d44054cc (patch) | |
| tree | 9248304c9e407720e328c8cb4001dd3abaa74758 | |
| parent | 13fff2f35fd21d69ee84ef6a78610420e1a42818 (diff) | |
nfs: check for integer overflow in decode_devicenotify_args()
On 32 bit, if n is too large then "n * sizeof(*args->devs)" could
overflow and args->devs would be smaller than expected.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
| -rw-r--r-- | fs/nfs/callback_xdr.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c index 726e59a9e50f..d50b2742f23b 100644 --- a/fs/nfs/callback_xdr.c +++ b/fs/nfs/callback_xdr.c @@ -305,6 +305,10 @@ __be32 decode_devicenotify_args(struct svc_rqst *rqstp, n = ntohl(*p++); if (n <= 0) goto out; + if (n > ULONG_MAX / sizeof(*args->devs)) { + status = htonl(NFS4ERR_BADXDR); + goto out; + } args->devs = kmalloc(n * sizeof(*args->devs), GFP_KERNEL); if (!args->devs) { |