On Wed, Jan 11, 2012 at 9:50 AM, Shirish Pargaonkar <shirishpargaonkar@xxxxxxxxx> wrote: > On Wed, Jan 11, 2012 at 1:46 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: >> On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow >> leading to a smaller ppace buffer than we expected. >> >> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> >> >> diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c >> index 72ddf23..c1b2544 100644 >> --- a/fs/cifs/cifsacl.c >> +++ b/fs/cifs/cifsacl.c >> @@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl, >> umode_t group_mask = S_IRWXG; >> umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO; >> >> + if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *)) > > Should an error/warning (like cifs client can't handle these many aces or > possible erroneous number of aces sent by server etc.) be logged before > returning? > >> + return; >> ppace = kmalloc(num_aces * sizeof(struct cifs_ace *), >> GFP_KERNEL); >> if (!ppace) { Perhaps. Also note that you would overflow maximum smb size if num aces is huge so would you have even gotten this far? -- Thanks, Steve -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html