Skip to content
Commit 50f7c4c9 authored by Xi Wang's avatar Xi Wang Committed by Alex Elder
Browse files

rbd: fix integer overflow in rbd_header_from_disk() 



ondisk->snap_count is read from disk via rbd_req_sync_read() and thus
needs validation.  Otherwise, a bogus `snap_count' could overflow the
kmalloc() size, leading to memory corruption.

Also use `u32' consistently for `snap_count'.

[elder@dreamhost.com: changed to use UINT_MAX rather than ULONG_MAX]

Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Reviewed-by: default avatarAlex Elder <elder@dreamhost.com>
parent f8ad495a
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment