libceph: fix overflow check in crush_decode() The existing overflow check (n > ULONG_MAX / b) didn't work, because n = ULONG_MAX / b would both bypass the check and still overflow the allocation size a + n * b. The correct check should be (n > (ULONG_MAX - a) / b). Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Sage Weil <sage@newdream.net>

commit: 64486697771cbe219fffcb5c8e2ed9ca4fdf086c [log] [tgz]
author: Xi Wang <xi.wang@gmail.com> Thu Feb 16 11:55:48 2012 -0500
committer: Alex Elder <elder@dreamhost.com> Thu Mar 22 10:47:45 2012 -0500
tree: a623eebb8105ae8e7585c7faaf171729a9cbadbb
parent: 810339ec2fae5cbd0164b8acde7fb65652755864 [diff] [blame]
diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index fd863fe7..29ad46e 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c

@@ -283,7 +283,8 @@
 		ceph_decode_32_safe(p, end, yes, bad);
 #if BITS_PER_LONG == 32
 		err = -EINVAL;
-		if (yes > ULONG_MAX / sizeof(struct crush_rule_step))
+		if (yes > (ULONG_MAX - sizeof(*r))
+			  / sizeof(struct crush_rule_step))
 			goto bad;
 #endif
 		r = c->rules[i] = kmalloc(sizeof(*r) +
commit	64486697771cbe219fffcb5c8e2ed9ca4fdf086c	[log] [tgz]
author	Xi Wang <xi.wang@gmail.com>	Thu Feb 16 11:55:48 2012 -0500
committer	Alex Elder <elder@dreamhost.com>	Thu Mar 22 10:47:45 2012 -0500
tree	a623eebb8105ae8e7585c7faaf171729a9cbadbb
parent	810339ec2fae5cbd0164b8acde7fb65652755864 [diff] [blame]