diff mbox

btrfs: send: silence an integer overflow warning

Message ID 20160413064059.GB8092@mwanda (mailing list archive)
State Accepted
Headers show

Commit Message

Dan Carpenter April 13, 2016, 6:40 a.m. UTC
The "sizeof(*arg->clone_sources) * arg->clone_sources_count" expression
can overflow.  It causes several static checker warnings.  It's all
under CAP_SYS_ADMIN so it's not that serious but lets silence the
warnings.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

David Sterba April 25, 2016, 12:49 p.m. UTC | #1
On Wed, Apr 13, 2016 at 09:40:59AM +0300, Dan Carpenter wrote:
> The "sizeof(*arg->clone_sources) * arg->clone_sources_count" expression
> can overflow.  It causes several static checker warnings.  It's all
> under CAP_SYS_ADMIN so it's not that serious but lets silence the
> warnings.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Reviewed-by: David Sterba <dsterba@suse.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 73dd5d6..6a8c860 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -5979,6 +5979,12 @@  long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
 		goto out;
 	}
 
+	if (arg->clone_sources_count >
+	    ULLONG_MAX / sizeof(*arg->clone_sources)) {
+		ret = -EINVAL;
+		goto out;
+	}
+
 	if (!access_ok(VERIFY_READ, arg->clone_sources,
 			sizeof(*arg->clone_sources) *
 			arg->clone_sources_count)) {