Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0439f31c authored by Dan Carpenter's avatar Dan Carpenter Committed by Trond Myklebust
Browse files

NFSv4.1: integer overflow in decode_cb_sequence_args()



This seems like it could overflow on 32 bits.  Use kmalloc_array() which
has overflow protection built in.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent 92123e06
Loading
Loading
Loading
Loading
+3 −3
Original line number Diff line number Diff line
@@ -455,7 +455,7 @@ static __be32 decode_cb_sequence_args(struct svc_rqst *rqstp,
	args->csa_nrclists = ntohl(*p++);
	args->csa_rclists = NULL;
	if (args->csa_nrclists) {
		args->csa_rclists = kmalloc(args->csa_nrclists *
		args->csa_rclists = kmalloc_array(args->csa_nrclists,
						  sizeof(*args->csa_rclists),
						  GFP_KERNEL);
		if (unlikely(args->csa_rclists == NULL))