From 7bc3dfa37ba6f6ea81c362eb1993bd20c0828eae Mon Sep 17 00:00:00 2001 From: Vitaly Osipov Date: Sun, 27 Apr 2014 01:08:21 +1000 Subject: [PATCH] staging: lustre: check for integer overflow In ll_ioctl_fiemap(), a user-supplied value is used to calculate a length of a buffer which is later allocated with user data. Signed-off-by: Vitaly Osipov Signed-off-by: Greg Kroah-Hartman --- drivers/staging/lustre/lustre/llite/file.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/staging/lustre/lustre/llite/file.c b/drivers/staging/lustre/lustre/llite/file.c index 562e33751197..d87f96d9e0fa 100644 --- a/drivers/staging/lustre/lustre/llite/file.c +++ b/drivers/staging/lustre/lustre/llite/file.c @@ -1829,6 +1829,10 @@ static int ll_ioctl_fiemap(struct inode *inode, unsigned long arg) if (get_user(extent_count, &((struct ll_user_fiemap __user *)arg)->fm_extent_count)) return -EFAULT; + + if (extent_count >= + (SIZE_MAX - sizeof(*fiemap_s)) / sizeof(struct ll_fiemap_extent)) + return -EINVAL; num_bytes = sizeof(*fiemap_s) + (extent_count * sizeof(struct ll_fiemap_extent)); -- 2.20.1