diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2014-05-29 04:23:23 -0400 |
|---|---|---|
| committer | Mike Snitzer <snitzer@redhat.com> | 2015-02-09 13:06:48 -0500 |
| commit | 3ca5a21a9c02bdebe2d95268482031f002efcf23 (patch) | |
| tree | 299c6cd87e488dc5f59449fc5dda1e68ed453007 /drivers/md/dm-raid.c | |
| parent | 65803c2059832fb99b992728157f7924c2e42d4b (diff) | |
dm raid: fix a couple integer overflows
My static checker complains that if "num_raid_params" is UINT_MAX then
the "if (num_raid_params + 1 > argc) {" check doesn't work as intended.
The other change is that I moved the "if (argc != (num_raid_devs * 2))"
condition forward a few lines so it was before the call to
context_alloc(). If we had an integer overflow inside that function
then it would lead to an immediate crash.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Diffstat (limited to 'drivers/md/dm-raid.c')
| -rw-r--r-- | drivers/md/dm-raid.c | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c index 07c0fa0fa284..41acc9dd7342 100644 --- a/drivers/md/dm-raid.c +++ b/drivers/md/dm-raid.c | |||
| @@ -1243,7 +1243,7 @@ static int raid_ctr(struct dm_target *ti, unsigned argc, char **argv) | |||
| 1243 | argv++; | 1243 | argv++; |
| 1244 | 1244 | ||
| 1245 | /* Skip over RAID params for now and find out # of devices */ | 1245 | /* Skip over RAID params for now and find out # of devices */ |
| 1246 | if (num_raid_params + 1 > argc) { | 1246 | if (num_raid_params >= argc) { |
| 1247 | ti->error = "Arguments do not agree with counts given"; | 1247 | ti->error = "Arguments do not agree with counts given"; |
| 1248 | return -EINVAL; | 1248 | return -EINVAL; |
| 1249 | } | 1249 | } |
| @@ -1254,6 +1254,12 @@ static int raid_ctr(struct dm_target *ti, unsigned argc, char **argv) | |||
| 1254 | return -EINVAL; | 1254 | return -EINVAL; |
| 1255 | } | 1255 | } |
| 1256 | 1256 | ||
| 1257 | argc -= num_raid_params + 1; /* +1: we already have num_raid_devs */ | ||
| 1258 | if (argc != (num_raid_devs * 2)) { | ||
| 1259 | ti->error = "Supplied RAID devices does not match the count given"; | ||
| 1260 | return -EINVAL; | ||
| 1261 | } | ||
| 1262 | |||
| 1257 | rs = context_alloc(ti, rt, (unsigned)num_raid_devs); | 1263 | rs = context_alloc(ti, rt, (unsigned)num_raid_devs); |
| 1258 | if (IS_ERR(rs)) | 1264 | if (IS_ERR(rs)) |
| 1259 | return PTR_ERR(rs); | 1265 | return PTR_ERR(rs); |
| @@ -1262,16 +1268,8 @@ static int raid_ctr(struct dm_target *ti, unsigned argc, char **argv) | |||
| 1262 | if (ret) | 1268 | if (ret) |
| 1263 | goto bad; | 1269 | goto bad; |
| 1264 | 1270 | ||
| 1265 | ret = -EINVAL; | ||
| 1266 | |||
| 1267 | argc -= num_raid_params + 1; /* +1: we already have num_raid_devs */ | ||
| 1268 | argv += num_raid_params + 1; | 1271 | argv += num_raid_params + 1; |
| 1269 | 1272 | ||
| 1270 | if (argc != (num_raid_devs * 2)) { | ||
| 1271 | ti->error = "Supplied RAID devices does not match the count given"; | ||
| 1272 | goto bad; | ||
| 1273 | } | ||
| 1274 | |||
| 1275 | ret = dev_parms(rs, argv); | 1273 | ret = dev_parms(rs, argv); |
| 1276 | if (ret) | 1274 | if (ret) |
| 1277 | goto bad; | 1275 | goto bad; |