libceph: fix overflow check in crush_decode()
authorXi Wang <xi.wang@gmail.com>
Thu, 16 Feb 2012 16:55:48 +0000 (11:55 -0500)
committerAlex Elder <elder@dreamhost.com>
Thu, 22 Mar 2012 15:47:45 +0000 (10:47 -0500)
The existing overflow check (n > ULONG_MAX / b) didn't work, because
n = ULONG_MAX / b would both bypass the check and still overflow the
allocation size a + n * b.

The correct check should be (n > (ULONG_MAX - a) / b).

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Sage Weil <sage@newdream.net>
net/ceph/osdmap.c

index fd863fe76934afb33bbee5583d68028366f23b91..29ad46ec9dcfc1d6de7c680c9555c00f5ac6546e 100644 (file)
@@ -283,7 +283,8 @@ static struct crush_map *crush_decode(void *pbyval, void *end)
                ceph_decode_32_safe(p, end, yes, bad);
 #if BITS_PER_LONG == 32
                err = -EINVAL;
-               if (yes > ULONG_MAX / sizeof(struct crush_rule_step))
+               if (yes > (ULONG_MAX - sizeof(*r))
+                         / sizeof(struct crush_rule_step))
                        goto bad;
 #endif
                r = c->rules[i] = kmalloc(sizeof(*r) +