Skip to content

Commit

Permalink
nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segmen…
Browse files Browse the repository at this point in the history 
…ts()

nsegs is read from userspace.  Limit its value and avoid overflowing nsegs
* sizeof(__u64) in the subsequent call to memdup_user().

This patch complements 481fe17 ("nilfs2: potential integer overflow
in nilfs_ioctl_clean_segments()").

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Haogang Chen <haogangchen@gmail.com>
Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  • Loading branch information
Xi Wang authored and Linus Torvalds committed Feb 9, 2012
1 parent 98e9685 commit 1ecd3c7
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions fs/nilfs2/ioctl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
nsegs = argv[4].v_nmembs;
if (argv[4].v_size != argsz[4])
goto out;
if (nsegs > UINT_MAX / sizeof(__u64))
goto out;

/*
* argv[4] points to segment numbers this ioctl cleans. We
Expand Down

0 comments on commit 1ecd3c7

Please sign in to comment.