forked from luck/tmp_suning_uos_patched
libceph: fix overflow check in crush_decode()
The existing overflow check (n > ULONG_MAX / b) didn't work, because n = ULONG_MAX / b would both bypass the check and still overflow the allocation size a + n * b. The correct check should be (n > (ULONG_MAX - a) / b). Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Sage Weil <sage@newdream.net>
This commit is contained in:
parent
810339ec2f
commit
6448669777
|
@ -283,7 +283,8 @@ static struct crush_map *crush_decode(void *pbyval, void *end)
|
|||
ceph_decode_32_safe(p, end, yes, bad);
|
||||
#if BITS_PER_LONG == 32
|
||||
err = -EINVAL;
|
||||
if (yes > ULONG_MAX / sizeof(struct crush_rule_step))
|
||||
if (yes > (ULONG_MAX - sizeof(*r))
|
||||
/ sizeof(struct crush_rule_step))
|
||||
goto bad;
|
||||
#endif
|
||||
r = c->rules[i] = kmalloc(sizeof(*r) +
|
||||
|
|
Loading…
Reference in New Issue
Block a user