Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 64486697 authored by Xi Wang's avatar Xi Wang Committed by Alex Elder
Browse files

libceph: fix overflow check in crush_decode() 



The existing overflow check (n > ULONG_MAX / b) didn't work, because
n = ULONG_MAX / b would both bypass the check and still overflow the
allocation size a + n * b.

The correct check should be (n > (ULONG_MAX - a) / b).

Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Signed-off-by: default avatarSage Weil <sage@newdream.net>
parent 810339ec

net/ceph/osdmap.c

+2 −1
Original line number Original line Diff line number Diff line
@@ -283,7 +283,8 @@ static struct crush_map *crush_decode(void *pbyval, void *end) 
		ceph_decode_32_safe(p, end, yes, bad);

		ceph_decode_32_safe(p, end, yes, bad);

#if BITS_PER_LONG == 32

#if BITS_PER_LONG == 32

		err = -EINVAL;

		err = -EINVAL;

		if (yes > ULONG_MAX / sizeof(struct crush_rule_step))

		if (yes > (ULONG_MAX - sizeof(*r))

			  / sizeof(struct crush_rule_step))

			goto bad;

			goto bad;

#endif

#endif

		r = c->rules[i] = kmalloc(sizeof(*r) +

		r = c->rules[i] = kmalloc(sizeof(*r) +