]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d5abe13) | patch
rbd: fix integer overflow in rbd_header_from_disk()
authorXi Wang <xi.wang@gmail.com>
Fri, 20 Apr 2012 20:49:44 +0000 (15:49 -0500)
committerAlex Elder <elder@dreamhost.com>
Mon, 14 May 2012 17:12:41 +0000 (12:12 -0500)
commitbb9d44d07e49c038aa5badf93519ffe6fd4669e6
treea37aa5a2aad9e434bf6b77e0b65601b6e30589b2tree | snapshot
parentd5abe13edf04b3222b1aa17f92ea8c73e51c02dfcommit | diff
rbd: fix integer overflow in rbd_header_from_disk()

ondisk->snap_count is read from disk via rbd_req_sync_read() and thus
needs validation.  Otherwise, a bogus `snap_count' could overflow the
kmalloc() size, leading to memory corruption.

Also use `u32' consistently for `snap_count'.

[elder@dreamhost.com: changed to use UINT_MAX rather than ULONG_MAX]

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Alex Elder <elder@dreamhost.com>
drivers/block/rbd.c diff | blob | history
Linux Kernel Source Tree.