cifs: integer overflow in parse_dacl()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 11 Jan 2012 07:46:27 +0000 (10:46 +0300)
committerSteve French <smfrench@gmail.com>
Thu, 12 Jan 2012 19:17:36 +0000 (13:17 -0600)
On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow
leading to a smaller ppace buffer than we expected.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jeff Layton <jlayton@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
fs/cifs/cifsacl.c

index 72ddf23ef6f7d77145dbe765732633ff8e588076..c1b254487388ab3a23ce4af9d1226e84a7ead901 100644 (file)
@@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
                umode_t group_mask = S_IRWXG;
                umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO;
 
+               if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *))
+                       return;
                ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
                                GFP_KERNEL);
                if (!ppace) {