Commit 50f7c4c9 authored by Xi Wang's avatar Xi Wang Committed by Alex Elder

rbd: fix integer overflow in rbd_header_from_disk()

ondisk->snap_count is read from disk via rbd_req_sync_read() and thus
needs validation.  Otherwise, a bogus `snap_count' could overflow the
kmalloc() size, leading to memory corruption.

Also use `u32' consistently for `snap_count'.

[elder@dreamhost.com: changed to use UINT_MAX rather than ULONG_MAX]
Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Reviewed-by: default avatarAlex Elder <elder@dreamhost.com>
parent f8ad495a
......@@ -487,16 +487,18 @@ static void rbd_coll_release(struct kref *kref)
*/
static int rbd_header_from_disk(struct rbd_image_header *header,
struct rbd_image_header_ondisk *ondisk,
int allocated_snaps,
u32 allocated_snaps,
gfp_t gfp_flags)
{
int i;
u32 snap_count;
u32 i, snap_count;
if (memcmp(ondisk, RBD_HEADER_TEXT, sizeof(RBD_HEADER_TEXT)))
return -ENXIO;
snap_count = le32_to_cpu(ondisk->snap_count);
if (snap_count > (UINT_MAX - sizeof(struct ceph_snap_context))
/ sizeof (*ondisk))
return -EINVAL;
header->snapc = kmalloc(sizeof(struct ceph_snap_context) +
snap_count * sizeof (*ondisk),
gfp_flags);
......@@ -1591,7 +1593,7 @@ static int rbd_read_header(struct rbd_device *rbd_dev,
{
ssize_t rc;
struct rbd_image_header_ondisk *dh;
int snap_count = 0;
u32 snap_count = 0;
u64 ver;
size_t len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment