cifs: integer overflow in parse_dacl()

author Dan Carpenter <dan.carpenter@oracle.com>

Wed, 11 Jan 2012 07:46:27 +0000 (10:46 +0300)

committer Steve French <smfrench@gmail.com>

Thu, 12 Jan 2012 19:17:36 +0000 (13:17 -0600)
author Dan Carpenter <dan.carpenter@oracle.com>
Wed, 11 Jan 2012 07:46:27 +0000 (10:46 +0300)
committer Steve French <smfrench@gmail.com>
Thu, 12 Jan 2012 19:17:36 +0000 (13:17 -0600)
diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c

index 72ddf23ef6f7d77145dbe765732633ff8e588076..c1b254487388ab3a23ce4af9d1226e84a7ead901 100644 (file)
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
                 umode_t group_mask = S_IRWXG;
                 umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
  
+               if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
+                       return;
                 ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
                                 GFP_KERNEL);
                 if (!ppace) {
author	Dan Carpenter <dan.carpenter@oracle.com>
	Wed, 11 Jan 2012 07:46:27 +0000 (10:46 +0300)
committer	Steve French <smfrench@gmail.com>
	Thu, 12 Jan 2012 19:17:36 +0000 (13:17 -0600)