diff options
Diffstat (limited to 'drivers/block')
| -rw-r--r-- | drivers/block/rbd.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index ca59d4d9471e..a75fe93a25b1 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c | |||
| @@ -487,16 +487,18 @@ static void rbd_coll_release(struct kref *kref) | |||
| 487 | */ | 487 | */ |
| 488 | static int rbd_header_from_disk(struct rbd_image_header *header, | 488 | static int rbd_header_from_disk(struct rbd_image_header *header, |
| 489 | struct rbd_image_header_ondisk *ondisk, | 489 | struct rbd_image_header_ondisk *ondisk, |
| 490 | int allocated_snaps, | 490 | u32 allocated_snaps, |
| 491 | gfp_t gfp_flags) | 491 | gfp_t gfp_flags) |
| 492 | { | 492 | { |
| 493 | int i; | 493 | u32 i, snap_count; |
| 494 | u32 snap_count; | ||
| 495 | 494 | ||
| 496 | if (memcmp(ondisk, RBD_HEADER_TEXT, sizeof(RBD_HEADER_TEXT))) | 495 | if (memcmp(ondisk, RBD_HEADER_TEXT, sizeof(RBD_HEADER_TEXT))) |
| 497 | return -ENXIO; | 496 | return -ENXIO; |
| 498 | 497 | ||
| 499 | snap_count = le32_to_cpu(ondisk->snap_count); | 498 | snap_count = le32_to_cpu(ondisk->snap_count); |
| 499 | if (snap_count > (UINT_MAX - sizeof(struct ceph_snap_context)) | ||
| 500 | / sizeof (*ondisk)) | ||
| 501 | return -EINVAL; | ||
| 500 | header->snapc = kmalloc(sizeof(struct ceph_snap_context) + | 502 | header->snapc = kmalloc(sizeof(struct ceph_snap_context) + |
| 501 | snap_count * sizeof (*ondisk), | 503 | snap_count * sizeof (*ondisk), |
| 502 | gfp_flags); | 504 | gfp_flags); |
| @@ -1591,7 +1593,7 @@ static int rbd_read_header(struct rbd_device *rbd_dev, | |||
| 1591 | { | 1593 | { |
| 1592 | ssize_t rc; | 1594 | ssize_t rc; |
| 1593 | struct rbd_image_header_ondisk *dh; | 1595 | struct rbd_image_header_ondisk *dh; |
| 1594 | int snap_count = 0; | 1596 | u32 snap_count = 0; |
| 1595 | u64 ver; | 1597 | u64 ver; |
| 1596 | size_t len; | 1598 | size_t len; |
| 1597 | 1599 | ||