diff options
| author | NeilBrown <neilb@suse.de> | 2009-08-02 20:59:56 -0400 |
|---|---|---|
| committer | NeilBrown <neilb@suse.de> | 2009-08-02 20:59:56 -0400 |
| commit | 3673f305faf1bc66ead751344f8262ace851ff44 (patch) | |
| tree | 4cbdd23d9af20632678e95b3e8f02ede241a3917 | |
| parent | 3a981b03f38dc3b8a69b77cbc679e66c1318a44a (diff) | |
md: avoid array overflow with bad v1.x metadata
We trust the 'desc_nr' field in v1.x metadata enough to use it
as an index in an array. This isn't really safe.
So range-check the value first.
Signed-off-by: NeilBrown <neilb@suse.de>
| -rw-r--r-- | drivers/md/md.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/drivers/md/md.c b/drivers/md/md.c index c194955aecae..249b2896d4ea 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c | |||
| @@ -1308,7 +1308,12 @@ static int super_1_validate(mddev_t *mddev, mdk_rdev_t *rdev) | |||
| 1308 | } | 1308 | } |
| 1309 | if (mddev->level != LEVEL_MULTIPATH) { | 1309 | if (mddev->level != LEVEL_MULTIPATH) { |
| 1310 | int role; | 1310 | int role; |
| 1311 | role = le16_to_cpu(sb->dev_roles[rdev->desc_nr]); | 1311 | if (rdev->desc_nr < 0 || |
| 1312 | rdev->desc_nr >= le32_to_cpu(sb->max_dev)) { | ||
| 1313 | role = 0xffff; | ||
| 1314 | rdev->desc_nr = -1; | ||
| 1315 | } else | ||
| 1316 | role = le16_to_cpu(sb->dev_roles[rdev->desc_nr]); | ||
| 1312 | switch(role) { | 1317 | switch(role) { |
| 1313 | case 0xffff: /* spare */ | 1318 | case 0xffff: /* spare */ |
| 1314 | break; | 1319 | break; |