libceph: fix overflow check in crush_decode()

The existing overflow check (n > ULONG_MAX / b) didn't work, because n = ULONG_MAX / b would both bypass the check and still overflow the allocation size a + n * b. The correct check should be (n > (ULONG_MAX - a) / b). Signed-off-by: N Xi Wang <xi.wang@gmail.com> Signed-off-by: N Sage Weil <sage@newdream.net>

libceph: fix overflow check in crush_decode()
The existing overflow check (n > ULONG_MAX / b) didn't work, because n = ULONG_MAX / b would both bypass the check and still overflow the allocation size a + n * b. The correct check should be (n > (ULONG_MAX - a) / b). Signed-off-by: N Xi Wang <xi.wang@gmail.com> Signed-off-by: N Sage Weil <sage@newdream.net>
64486697 · Xi Wang · Alex Elder · 810339ec · 64486697
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

net/ceph/osdmap.c net/ceph/osdmap.c +2 -1

未找到文件。
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -283,7 +283,8 @@ static struct crush_map *crush_decode(void *pbyval, void *end)
 		ceph_decode_32_safe(p, end, yes, bad);
 #if BITS_PER_LONG == 32
 		err = -EINVAL;
-		if (yes > ULONG_MAX / sizeof(struct crush_rule_step))
+		if (yes > (ULONG_MAX - sizeof(*r))
+			  / sizeof(struct crush_rule_step))
 			goto bad;
 #endif
 		r = c->rules[i] = kmalloc(sizeof(*r) +