staging: lustre: check for integer overflow

In ll_ioctl_fiemap(), a user-supplied value is used to calculate a length of a buffer which is later allocated with user data. Signed-off-by: Vitaly Osipov <vitaly.osipov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging: lustre: check for integer overflow
In ll_ioctl_fiemap(), a user-supplied value is used to calculate a length of a buffer which is later allocated with user data. Signed-off-by: Vitaly Osipov <vitaly.osipov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7bc3dfa3 · Vitaly Osipov · Greg Kroah-Hartman · 37aa4836 · 7bc3dfa3
Commit 7bc3dfa3 authored Apr 27, 2014 by Vitaly Osipov Committed by Greg Kroah-Hartman May 03, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

drivers/staging/lustre/lustre/llite/file.c drivers/staging/lustre/lustre/llite/file.c +4 -0

No files found.
--- a/drivers/staging/lustre/lustre/llite/file.c
+++ b/drivers/staging/lustre/lustre/llite/file.c
@@ -1829,6 +1829,10 @@ static int ll_ioctl_fiemap(struct inode *inode, unsigned long arg)
 	if (get_user(extent_count,
 	    &((struct ll_user_fiemap __user *)arg)->fm_extent_count))
 		return -EFAULT;
+
+	if (extent_count >=
+	    (SIZE_MAX - sizeof(*fiemap_s)) / sizeof(struct ll_fiemap_extent))
+		return -EINVAL;
 	num_bytes = sizeof(*fiemap_s) + (extent_count *
 					 sizeof(struct ll_fiemap_extent));