[PATCH] libceph: fix overflow check in crush_decode()

From: Xi Wang
Date: Thu Feb 16 2012 - 11:58:37 EST

Next message: Peter Zijlstra: "Re: [RFC PATCH 14/14] sched: implement usage tracking"
Previous message: Cyrill Gorcunov: "Re: + syscalls-x86-add-__nr_kcmp-syscall-v8.patch added to -mm tree"
Next in thread: Sage Weil: "Re: [PATCH] libceph: fix overflow check in crush_decode()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The existing overflow check (n > ULONG_MAX / b) didn't work, because
n = ULONG_MAX / b would both bypass the check and still overflow the
allocation size a + n * b.

The correct check should be (n > (ULONG_MAX - a) / b).

Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx>
---
net/ceph/osdmap.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index fd863fe..29ad46e 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -283,7 +283,8 @@ static struct crush_map *crush_decode(void *pbyval, void *end)
ceph_decode_32_safe(p, end, yes, bad);
#if BITS_PER_LONG == 32
err = -EINVAL;
- if (yes > ULONG_MAX / sizeof(struct crush_rule_step))
+ if (yes > (ULONG_MAX - sizeof(*r))
+ / sizeof(struct crush_rule_step))
goto bad;
#endif
r = c->rules[i] = kmalloc(sizeof(*r) +
--
1.7.5.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter Zijlstra: "Re: [RFC PATCH 14/14] sched: implement usage tracking"
Previous message: Cyrill Gorcunov: "Re: + syscalls-x86-add-__nr_kcmp-syscall-v8.patch added to -mm tree"
Next in thread: Sage Weil: "Re: [PATCH] libceph: fix overflow check in crush_decode()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]