On Apr 29, 2014, at 5:08 AM, Dan Carpenter wrote:

> On Sun, Apr 27, 2014 at 01:06:42PM -0400, Oleg Drokin wrote:
>> diff --git a/drivers/staging/lustre/lustre/llite/dir.c 
>> b/drivers/staging/lustre/lustre/llite/dir.c
>> index 7fbc18e..c391b60 100644
>> --- a/drivers/staging/lustre/lustre/llite/dir.c
>> +++ b/drivers/staging/lustre/lustre/llite/dir.c
>> @@ -1804,6 +1804,11 @@ out_rmdir:
>>              /* Compute the whole struct size */
>>              totalsize = hur_len(hur);
> hur_len() has an integer overflow bug.

Indeed. Thanks.

The below check for the MDS_MAXREQSIZE was aimed at fixing it, I guess. But 
it's obviously flawed.

>>              OBD_FREE_PTR(hur);
>> +
>> +            /* Final size will be more than double totalsize */
>> +            if (totalsize >= MDS_MAXREQSIZE / 3)
>> +                    return -E2BIG;
> "totalsize" is signed and this condition doesn't take negatives into
> consideration.  Make totalsize unsigned.

In fact we should just enforce a max limit on item count in hur structure above
and that would take care of both the overflow and here.

>> +
>>              OBD_ALLOC_LARGE(hur, totalsize);
> How do we know that "totalsize" is more than sizeof(*hur)?  If we fixed
> the overflow bug then maybe this isn't a problem.  I haven't looked.

hur_size calculates total size as size of the struct hur (but using offset_of 
of it's last member that's a zero-sized array + whatever the size of the follow 
on items.

Bye,
    Oleg
_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Reply via email to