* [patch] nfs: check for integer overflow in decode_devicenotify_args()
@ 2012-01-12 7:16 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2012-01-12 7:16 UTC (permalink / raw)
To: Trond Myklebust; +Cc: linux-nfs, kernel-janitors
On 32 bit, if n is too large then "n * sizeof(*args->devs)" could
overflow and args->devs would be smaller than expected.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is a static checker fix. I haven't tested this. Sorry for that.
diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
index 726e59a..d50b274 100644
--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -305,6 +305,10 @@ __be32 decode_devicenotify_args(struct svc_rqst *rqstp,
n = ntohl(*p++);
if (n <= 0)
goto out;
+ if (n > ULONG_MAX / sizeof(*args->devs)) {
+ status = htonl(NFS4ERR_BADXDR);
+ goto out;
+ }
args->devs = kmalloc(n * sizeof(*args->devs), GFP_KERNEL);
if (!args->devs) {
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2012-01-12 7:16 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-12 7:16 [patch] nfs: check for integer overflow in decode_devicenotify_args() Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).