Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0439f31c authored by Dan Carpenter's avatar Dan Carpenter Committed by Trond Myklebust
Browse files

NFSv4.1: integer overflow in decode_cb_sequence_args() 



This seems like it could overflow on 32 bits.  Use kmalloc_array() which
has overflow protection built in.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent 92123e06

fs/nfs/callback_xdr.c

+3 −3
Original line number Diff line number Diff line
@@ -455,7 +455,7 @@ static __be32 decode_cb_sequence_args(struct svc_rqst *rqstp, 
	args->csa_nrclists = ntohl(*p++);

	args->csa_rclists = NULL;

	if (args->csa_nrclists) {

		args->csa_rclists = kmalloc(args->csa_nrclists *

		args->csa_rclists = kmalloc_array(args->csa_nrclists,

						  sizeof(*args->csa_rclists),

						  GFP_KERNEL);

		if (unlikely(args->csa_rclists == NULL))