On Apr 29, 2014, at 5:08 AM, Dan Carpenter wrote:
> On Sun, Apr 27, 2014 at 01:06:42PM -0400, Oleg Drokin wrote:
>> diff --git a/drivers/staging/lustre/lustre/llite/dir.c b/drivers/staging/lustre/lustre/llite/dir.c
>> index 7fbc18e..c391b60 100644
>> --- a/drivers/staging/lustre/lustre/llite/dir.c
>> +++ b/drivers/staging/lustre/lustre/llite/dir.c
>> @@ -1804,6 +1804,11 @@ out_rmdir:
>> /* Compute the whole struct size */
>> totalsize = hur_len(hur);
> hur_len() has an integer overflow bug.
Indeed. Thanks.
The below check for the MDS_MAXREQSIZE was aimed at fixing it, I guess. But it's obviously flawed.
>> OBD_FREE_PTR(hur);
>> +
>> + /* Final size will be more than double totalsize */
>> + if (totalsize >= MDS_MAXREQSIZE / 3)
>> + return -E2BIG;
> "totalsize" is signed and this condition doesn't take negatives into
> consideration. Make totalsize unsigned.
In fact we should just enforce a max limit on item count in hur structure above
and that would take care of both the overflow and here.
>> +
>> OBD_ALLOC_LARGE(hur, totalsize);
> How do we know that "totalsize" is more than sizeof(*hur)? If we fixed
> the overflow bug then maybe this isn't a problem. I haven't looked.
hur_size calculates total size as size of the struct hur (but using offset_of of it's last member that's a zero-sized array + whatever the size of the follow on items.
Bye,
Oleg
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
