diff options
| author | Mikulas Patocka <mpatocka@redhat.com> | 2013-11-22 19:52:06 -0500 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2014-01-03 04:33:29 +0000 |
| commit | a86ed8caf2fda2069ed910b42f80d7e7b7bc49d1 (patch) | |
| tree | ba9014a0cb375d89d59c8363e6261f0aca7ee975 /drivers | |
| parent | 8bd981aa4b609d3c97fceb4d81b212b68952b29c (diff) | |
dm table: fail dm_table_create on dm_round_up overflow
commit 5b2d06576c5410c10d95adfd5c4d8b24de861d87 upstream.
The dm_round_up function may overflow to zero. In this case,
dm_table_create() must fail rather than go on to allocate an empty array
with alloc_targets().
This fixes a possible memory corruption that could be caused by passing
too large a number in "param->target_count".
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/md/dm-table.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 72c0dfb301f..5c52582b017 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -215,6 +215,11 @@ int dm_table_create(struct dm_table **result, fmode_t mode, num_targets = dm_round_up(num_targets, KEYS_PER_NODE); + if (!num_targets) { + kfree(t); + return -ENOMEM; + } + if (alloc_targets(t, num_targets)) { kfree(t); t = NULL; |