* Re: [PATCH] ubi: gluebi_{read,write} len + {from,to} can exceed mtd->size
2009-06-22 17:21 [PATCH] ubi: gluebi_{read, write} len + {from, to} can exceed mtd->size Roel Kluin
@ 2009-06-22 16:17 ` Artem Bityutskiy
0 siblings, 0 replies; 2+ messages in thread
From: Artem Bityutskiy @ 2009-06-22 16:17 UTC (permalink / raw)
To: Roel Kluin; +Cc: Andrew Morton, linux-mtd
On Mon, 2009-06-22 at 19:21 +0200, Roel Kluin wrote:
> when size_t `len' is negative it is wrapped so the test `len < 0' fails.
> `from' and `to' have type loff_t (signed). During the addition `len' is
> converted to signed. So when `len' is negative `from + len` can be
> less than `mtd->size' while `from' is larger than `mtd->size'. This
> patch fixes this.
>
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Thanks, pushed to ubi-2.6.git tree with slightly amended commit message:
commit cf9e1e425172035575bee070df031c8a58015cb8
Author: Roel Kluin <roel.kluin@gmail.com>
Date: Mon Jun 22 19:21:38 2009 +0200
UBI: fix input parameters check in gluebi
size_t `len' is unsigned `len < 0' always fails.
`from' and `to' have type loff_t (signed). During the addition `len' is
converted to signed. So when `len' is negative `from + len` can be
less than `mtd->size' while `from' is larger than `mtd->size'. This
patch fixes this.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
--
Best regards,
Artem Bityutskiy (Битюцкий Артём)
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH] ubi: gluebi_{read, write} len + {from, to} can exceed mtd->size
@ 2009-06-22 17:21 Roel Kluin
2009-06-22 16:17 ` [PATCH] ubi: gluebi_{read,write} len + {from,to} " Artem Bityutskiy
0 siblings, 1 reply; 2+ messages in thread
From: Roel Kluin @ 2009-06-22 17:21 UTC (permalink / raw)
To: dedekind; +Cc: Andrew Morton, linux-mtd
when size_t `len' is negative it is wrapped so the test `len < 0' fails.
`from' and `to' have type loff_t (signed). During the addition `len' is
converted to signed. So when `len' is negative `from + len` can be
less than `mtd->size' while `from' is larger than `mtd->size'. This
patch fixes this.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
It should be correct, but please review.
diff --git a/drivers/mtd/ubi/gluebi.c b/drivers/mtd/ubi/gluebi.c
index 95aaac0..093729b 100644
--- a/drivers/mtd/ubi/gluebi.c
+++ b/drivers/mtd/ubi/gluebi.c
@@ -173,7 +173,7 @@ static int gluebi_read(struct mtd_info *mtd, loff_t from, size_t len,
int err = 0, lnum, offs, total_read;
struct gluebi_device *gluebi;
- if (len < 0 || from < 0 || from + len > mtd->size)
+ if (len > mtd->size || from < 0 || from + len > mtd->size)
return -EINVAL;
gluebi = container_of(mtd, struct gluebi_device, mtd);
@@ -217,7 +217,7 @@ static int gluebi_write(struct mtd_info *mtd, loff_t to, size_t len,
int err = 0, lnum, offs, total_written;
struct gluebi_device *gluebi;
- if (len < 0 || to < 0 || len + to > mtd->size)
+ if (len > mtd->size || to < 0 || len + to > mtd->size)
return -EINVAL;
gluebi = container_of(mtd, struct gluebi_device, mtd);
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-06-22 16:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-06-22 17:21 [PATCH] ubi: gluebi_{read, write} len + {from, to} can exceed mtd->size Roel Kluin
2009-06-22 16:17 ` [PATCH] ubi: gluebi_{read,write} len + {from,to} " Artem Bityutskiy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).