aboutsummaryrefslogtreecommitdiffstats
path: root/fs/nilfs2
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2012-02-08 20:13:37 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2012-02-08 22:03:51 -0500
commit1ecd3c7ea76488c63b4b0a2561fd7eaf96cc8028 (patch)
tree3bc88fd0b4fd61c86141c66e86cf5492753bcd22 /fs/nilfs2
parent98e96852480566333f6dacd3223f0be15df34d60 (diff)
nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
nsegs is read from userspace. Limit its value and avoid overflowing nsegs * sizeof(__u64) in the subsequent call to memdup_user(). This patch complements 481fe17e973fb9 ("nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()"). Signed-off-by: Xi Wang <xi.wang@gmail.com> Cc: Haogang Chen <haogangchen@gmail.com> Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/nilfs2')
-rw-r--r--fs/nilfs2/ioctl.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 886649627c3d..2a70fce70c65 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
603 nsegs = argv[4].v_nmembs; 603 nsegs = argv[4].v_nmembs;
604 if (argv[4].v_size != argsz[4]) 604 if (argv[4].v_size != argsz[4])
605 goto out; 605 goto out;
606 if (nsegs > UINT_MAX / sizeof(__u64))
607 goto out;
606 608
607 /* 609 /*
608 * argv[4] points to segment numbers this ioctl cleans. We 610 * argv[4] points to segment numbers this ioctl cleans. We