nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
nsegs is read from userspace. Limit its value and avoid overflowing nsegs
* sizeof(__u64) in the subsequent call to memdup_user().
This patch complements 481fe17e97
("nilfs2: potential integer overflow
in nilfs_ioctl_clean_segments()").
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Haogang Chen <haogangchen@gmail.com>
Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
98e9685248
commit
1ecd3c7ea7
|
@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
|
|||
nsegs = argv[4].v_nmembs;
|
||||
if (argv[4].v_size != argsz[4])
|
||||
goto out;
|
||||
if (nsegs > UINT_MAX / sizeof(__u64))
|
||||
goto out;
|
||||
|
||||
/*
|
||||
* argv[4] points to segment numbers this ioctl cleans. We
|
||||
|
|
Loading…
Reference in New Issue