u32 allocated_snaps)
{
u32 snap_count;
+ size_t size;
if (!rbd_dev_ondisk_valid(ondisk))
return -ENXIO;
snap_count = le32_to_cpu(ondisk->snap_count);
- if (snap_count > (SIZE_MAX - sizeof(struct ceph_snap_context))
- / sizeof (u64))
+
+ /* Make sure we don't overflow below */
+ size = SIZE_MAX - sizeof (struct ceph_snap_context);
+ if (snap_count > size / sizeof (header->snapc->snaps[0]))
return -EINVAL;
- header->snapc = kmalloc(sizeof(struct ceph_snap_context) +
- snap_count * sizeof(u64),
- GFP_KERNEL);
+
+ size = sizeof (struct ceph_snap_context);
+ size += snap_count * sizeof (header->snapc->snaps[0]);
+ header->snapc = kmalloc(size, GFP_KERNEL);
if (!header->snapc)
return -ENOMEM;
GFP_KERNEL);
if (!header->snap_names)
goto err_snapc;
- header->snap_sizes = kmalloc(snap_count * sizeof(u64),
- GFP_KERNEL);
+ size = snap_count * sizeof (*header->snap_sizes);
+ header->snap_sizes = kmalloc(size, GFP_KERNEL);
if (!header->snap_sizes)
goto err_names;
} else {
header->snap_sizes = NULL;
}
- header->object_prefix = kmalloc(sizeof (ondisk->block_name) + 1,
- GFP_KERNEL);
+ size = sizeof (ondisk->block_name) + 1;
+ header->object_prefix = kmalloc(size, GFP_KERNEL);
if (!header->object_prefix)
goto err_sizes;
-
- memcpy(header->object_prefix, ondisk->block_name,
- sizeof(ondisk->block_name));
- header->object_prefix[sizeof (ondisk->block_name)] = '\0';
+ memcpy(header->object_prefix, ondisk->block_name, size - 1);
+ header->object_prefix[size - 1] = '\0';
header->image_size = le64_to_cpu(ondisk->image_size);
header->obj_order = ondisk->options.order;
projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff