Re: [PATCH 18/47] staging/lustre/hsm: HSM requests not delivered

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Apr 29, 2014, at 5:08 AM, Dan Carpenter wrote:

> On Sun, Apr 27, 2014 at 01:06:42PM -0400, Oleg Drokin wrote:
>> diff --git a/drivers/staging/lustre/lustre/llite/dir.c b/drivers/staging/lustre/lustre/llite/dir.c
>> index 7fbc18e..c391b60 100644
>> --- a/drivers/staging/lustre/lustre/llite/dir.c
>> +++ b/drivers/staging/lustre/lustre/llite/dir.c
>> @@ -1804,6 +1804,11 @@ out_rmdir:
>> 		/* Compute the whole struct size */
>> 		totalsize = hur_len(hur);
> hur_len() has an integer overflow bug.

Indeed. Thanks.

The below check for the MDS_MAXREQSIZE was aimed at fixing it, I guess. But it's obviously flawed.

>> 		OBD_FREE_PTR(hur);
>> +
>> +		/* Final size will be more than double totalsize */
>> +		if (totalsize >= MDS_MAXREQSIZE / 3)
>> +			return -E2BIG;
> "totalsize" is signed and this condition doesn't take negatives into
> consideration.  Make totalsize unsigned.

In fact we should just enforce a max limit on item count in hur structure above
and that would take care of both the overflow and here.

>> +
>> 		OBD_ALLOC_LARGE(hur, totalsize);
> How do we know that "totalsize" is more than sizeof(*hur)?  If we fixed
> the overflow bug then maybe this isn't a problem.  I haven't looked.

hur_size calculates total size as size of the struct hur (but using offset_of of it's last member that's a zero-sized array + whatever the size of the follow on items.

Bye,
    Oleg
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel




[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux