sizeof_imsm_dev() should return value that can satisfy map operation
for 2 maps of size equal to bigger one.
If function reports too small value copy of bigger map can overwrite
other data in memory.
Signed-off-by: Adam Kwolek <adam.kwolek@xxxxxxxxx>
---
super-intel.c | 13 +++++++++----
1 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/super-intel.c b/super-intel.c
index 0c988d6..3c969c3 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -584,12 +584,17 @@ static size_t sizeof_imsm_dev(struct imsm_dev *dev, int migr_state)
{
size_t size = sizeof(*dev) - sizeof(struct imsm_map) +
sizeof_imsm_map(get_imsm_map(dev, 0));
+ int map_size = sizeof_imsm_map(get_imsm_map(dev, 0));
+
+ if (dev->vol.migr_state) {
+ int map1_size = sizeof_imsm_map(get_imsm_map(dev, 1));
+ if (map1_size > map_size)
+ map_size = map1_size;
+ }
/* migrating means an additional map */
- if (dev->vol.migr_state)
- size += sizeof_imsm_map(get_imsm_map(dev, 1));
- else if (migr_state)
- size += sizeof_imsm_map(get_imsm_map(dev, 0));
+ if ((dev->vol.migr_state) || (migr_state))
+ size += map_size;
return size;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-raid" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
