diff options
| author | Mikulas Patocka <mpatocka@redhat.com> | 2013-11-22 19:52:06 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-12-20 10:45:11 -0500 |
| commit | 135949c10b4f97eaf9da90535e18c6a2a0e2993a (patch) | |
| tree | d5f012c6939d14f65e7eb5ebcce7d695a566a9b3 /drivers/md | |
| parent | 2c54d62aa894ff2675272e0570abcb0ab76a3aa4 (diff) | |
dm table: fail dm_table_create on dm_round_up overflow
commit 5b2d06576c5410c10d95adfd5c4d8b24de861d87 upstream.
The dm_round_up function may overflow to zero. In this case,
dm_table_create() must fail rather than go on to allocate an empty array
with alloc_targets().
This fixes a possible memory corruption that could be caused by passing
too large a number in "param->target_count".
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/md')
| -rw-r--r-- | drivers/md/dm-table.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 9e3a045eb7a2..bd88d3dade1e 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c | |||
| @@ -215,6 +215,11 @@ int dm_table_create(struct dm_table **result, fmode_t mode, | |||
| 215 | 215 | ||
| 216 | num_targets = dm_round_up(num_targets, KEYS_PER_NODE); | 216 | num_targets = dm_round_up(num_targets, KEYS_PER_NODE); |
| 217 | 217 | ||
| 218 | if (!num_targets) { | ||
| 219 | kfree(t); | ||
| 220 | return -ENOMEM; | ||
| 221 | } | ||
| 222 | |||
| 218 | if (alloc_targets(t, num_targets)) { | 223 | if (alloc_targets(t, num_targets)) { |
| 219 | kfree(t); | 224 | kfree(t); |
| 220 | return -ENOMEM; | 225 | return -ENOMEM; |