| Message ID | 1387524536-29828-1-git-send-email-fanwlexca@gmail.com (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers | show |
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 21da576..92f7707 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -1466,6 +1466,10 @@ static noinline int btrfs_ioctl_resize(struct file *file, } new_size = old_size - new_size; } else if (mod > 0) { + if (new_size > ULLONG_MAX - old_size) { + ret = -EINVAL; + goto out_free; + } new_size = old_size + new_size; }
The local variable 'new_size' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: new_size = old_size + new_size; Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> --- fs/btrfs/ioctl.c | 4 ++++ 1 file changed, 4 insertions(+)