commit | 50f7c4c967d0b5acd8e7ba6ab654dc4a7ac869ac | [log] [tgz] |
---|---|---|
author | Xi Wang <xi.wang@gmail.com> | Fri Apr 20 15:49:44 2012 -0500 |
committer | Alex Elder <elder@dreamhost.com> | Mon May 14 12:12:41 2012 -0500 |
tree | a37aa5a2aad9e434bf6b77e0b65601b6e30589b2 | |
parent | f8ad495a8a0277b88c59bf38319e5e944aaf5a4a [diff] |
rbd: fix integer overflow in rbd_header_from_disk() ondisk->snap_count is read from disk via rbd_req_sync_read() and thus needs validation. Otherwise, a bogus `snap_count' could overflow the kmalloc() size, leading to memory corruption. Also use `u32' consistently for `snap_count'. [elder@dreamhost.com: changed to use UINT_MAX rather than ULONG_MAX] Signed-off-by: Xi Wang <xi.wang@gmail.com> Reviewed-by: Alex Elder <elder@dreamhost.com>