NFSv4.1: integer overflow in decode_cb_sequence_args()

This seems like it could overflow on 32 bits. Use kmalloc_array() which has overflow protection built in. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
author: Dan Carpenter <dan.carpenter@oracle.com> 2012-06-12 03:37:08 -0400
committer: Trond Myklebust <Trond.Myklebust@netapp.com> 2012-06-12 09:54:36 -0400
commit: 0439f31c35d1da0b28988b308ea455e38e6a350d (patch)
tree: 3d59dd6250c47968f5d6e521d3442525146660a4 /fs
parent: 92123e068efa310b09e9943ac1cfd10ff6b6d2e4 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
index 95bfc243992c..27c2969a9d02 100644
--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -455,9 +455,9 @@ static __be32 decode_cb_sequence_args(struct svc_rqst *rqstp,
        args->csa_nrclists = ntohl(*p++);
        args->csa_rclists = NULL;
        if (args->csa_nrclists) {
-                args->csa_rclists = kmalloc(args->csa_nrclists *
+                args->csa_rclists = kmalloc_array(args->csa_nrclists,
-                                            sizeof(*args->csa_rclists),
+                                                  sizeof(*args->csa_rclists),
-                                            GFP_KERNEL);
+                                                  GFP_KERNEL);
                if (unlikely(args->csa_rclists == NULL))
                        goto out;
author	Dan Carpenter <dan.carpenter@oracle.com>	2012-06-12 03:37:08 -0400
committer	Trond Myklebust <Trond.Myklebust@netapp.com>	2012-06-12 09:54:36 -0400
commit	0439f31c35d1da0b28988b308ea455e38e6a350d (patch)
tree	3d59dd6250c47968f5d6e521d3442525146660a4 /fs
parent	92123e068efa310b09e9943ac1cfd10ff6b6d2e4 (diff)

diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c index 95bfc243992c..27c2969a9d02 100644 --- a/fs/nfs/callback_xdr.c +++ b/fs/nfs/callback_xdr.c
@@ -455,9 +455,9 @@ static __be32 decode_cb_sequence_args(struct svc_rqst *rqstp,
455	args->csa_nrclists = ntohl(*p++);	455	args->csa_nrclists = ntohl(*p++);
456	args->csa_rclists = NULL;	456	args->csa_rclists = NULL;
457	if (args->csa_nrclists) {	457	if (args->csa_nrclists) {
458	args->csa_rclists = kmalloc(args->csa_nrclists *	458	args->csa_rclists = kmalloc_array(args->csa_nrclists,
459	sizeof(*args->csa_rclists),	459	sizeof(*args->csa_rclists),
460	GFP_KERNEL);	460	GFP_KERNEL);
461	if (unlikely(args->csa_rclists == NULL))	461	if (unlikely(args->csa_rclists == NULL))
462	goto out;	462	goto out;
463		463