From: Vitaly Osipov Date: Sat, 26 Apr 2014 15:08:21 +0000 (+1000) Subject: staging: lustre: check for integer overflow X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=7bc3dfa37ba6f6ea81c362eb1993bd20c0828eae;p=openwrt%2Fstaging%2Fblogic.git staging: lustre: check for integer overflow In ll_ioctl_fiemap(), a user-supplied value is used to calculate a length of a buffer which is later allocated with user data. Signed-off-by: Vitaly Osipov Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/lustre/lustre/llite/file.c b/drivers/staging/lustre/lustre/llite/file.c index 562e33751197..d87f96d9e0fa 100644 --- a/drivers/staging/lustre/lustre/llite/file.c +++ b/drivers/staging/lustre/lustre/llite/file.c @@ -1829,6 +1829,10 @@ static int ll_ioctl_fiemap(struct inode *inode, unsigned long arg) if (get_user(extent_count, &((struct ll_user_fiemap __user *)arg)->fm_extent_count)) return -EFAULT; + + if (extent_count >= + (SIZE_MAX - sizeof(*fiemap_s)) / sizeof(struct ll_fiemap_extent)) + return -EINVAL; num_bytes = sizeof(*fiemap_s) + (extent_count * sizeof(struct ll_fiemap_extent));