Applied these both, thanks! sage On Thu, 16 Feb 2012, Xi Wang wrote: > The existing overflow check (n > ULONG_MAX / b) didn't work, because > n = ULONG_MAX / b would both bypass the check and still overflow the > allocation size a + n * b. > > The correct check should be (n > (ULONG_MAX - a) / b). > > Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx> > --- > net/ceph/osdmap.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c > index fd863fe..29ad46e 100644 > --- a/net/ceph/osdmap.c > +++ b/net/ceph/osdmap.c > @@ -283,7 +283,8 @@ static struct crush_map *crush_decode(void *pbyval, void *end) > ceph_decode_32_safe(p, end, yes, bad); > #if BITS_PER_LONG == 32 > err = -EINVAL; > - if (yes > ULONG_MAX / sizeof(struct crush_rule_step)) > + if (yes > (ULONG_MAX - sizeof(*r)) > + / sizeof(struct crush_rule_step)) > goto bad; > #endif > r = c->rules[i] = kmalloc(sizeof(*r) + > -- > 1.7.5.4 > > -- > To unsubscribe from this list: send the line "unsubscribe ceph-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
