===================================================================
@@ -81,7 +81,7 @@ struct rbd_image_header {
__u8 crypt_type;
__u8 comp_type;
struct ceph_snap_context *snapc;
- size_t snap_names_len;
+ u64 snap_names_len;
u32 total_snaps;
char *snap_names;
@@ -511,6 +511,7 @@ static int rbd_header_from_disk(struct r
if (snap_count) {
header->snap_names_len = le64_to_cpu(ondisk->snap_names_len);
+ BUG_ON(header->snap_names_len > (u64) SIZE_MAX);
header->snap_names = kmalloc(header->snap_names_len,
GFP_KERNEL);
if (!header->snap_names)
The snap_names_len field of an rbd_image_header structure is defined with type size_t. That field is used as both the source and target of 64-bit byte-order swapping operations though, so it's best to define it with type u64 instead. Signed-off-by: Alex Elder <elder@inktank.com> --- drivers/block/rbd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html