The dm_round_up function may overflow to zero. In this case, we need to
fail, rather than allocate empty array.
This fixes a possible memory corruption that could be caused by passing
too big number in "param->target_count".
Signed-off-by: Mikulas Patocka <mpatocka@xxxxxxxxxx>
Cc: stable@xxxxxxxxxx
---
drivers/md/dm-table.c | 5 +++++
1 file changed, 5 insertions(+)
Index: linux-3.12-fast/drivers/md/dm-table.c
===================================================================
--- linux-3.12-fast.orig/drivers/md/dm-table.c 2013-11-22 21:24:52.000000000 +0100
+++ linux-3.12-fast/drivers/md/dm-table.c 2013-11-22 21:25:59.000000000 +0100
@@ -194,6 +194,11 @@ int dm_table_create(struct dm_table **re
num_targets = dm_round_up(num_targets, KEYS_PER_NODE);
+ if (!num_targets) {
+ kfree(t);
+ return -ENOMEM;
+ }
+
if (alloc_targets(t, num_targets)) {
kfree(t);
return -ENOMEM;
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel
