xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c

The am_hreq.opcount field in the xfs_attrmulti_by_handle() interface is not bounded correctly. The opcount is used to determine the size of the buffer required. The size is bounded, but can overflow and so the size checks may not be sufficient to catch invalid opcounts. Fix it by catching opcount values that would cause overflows before calculating the size. Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Reviewed-by: Dave Chinner <david@fromorbit.com>
author: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> 2010-03-23 09:51:22 +1100
committer: Alex Elder <aelder@sgi.com> 2010-05-19 09:58:07 -0500
commit: fda168c24586ab8e01b0eb68028d78fe3e4fb71a (patch)
tree: 015ac765550296cac1bc9b3eee833d99630a83fa /fs/xfs/linux-2.6/xfs_ioctl32.c
parent: e40152ee1e1c7a63f4777791863215e3faa37a86 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/xfs/linux-2.6/xfs_ioctl32.c b/fs/xfs/linux-2.6/xfs_ioctl32.c
index 593c05b4df8d..9287135e9bfc 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl32.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl32.c
@@ -420,6 +420,10 @@ xfs_compat_attrmulti_by_handle(
 			   sizeof(compat_xfs_fsop_attrmulti_handlereq_t)))
 		return -XFS_ERROR(EFAULT);
 
+	/* overflow check */
+	if (am_hreq.opcount >= INT_MAX / sizeof(compat_xfs_attr_multiop_t))
+		return -E2BIG;
+
 	dentry = xfs_compat_handlereq_to_dentry(parfilp, &am_hreq.hreq);
 	if (IS_ERR(dentry))
 		return PTR_ERR(dentry);
author	Zhitong Wang <zhitong.wangzt@alibaba-inc.com>	2010-03-23 09:51:22 +1100
committer	Alex Elder <aelder@sgi.com>	2010-05-19 09:58:07 -0500
commit	fda168c24586ab8e01b0eb68028d78fe3e4fb71a (patch)
tree	015ac765550296cac1bc9b3eee833d99630a83fa /fs/xfs/linux-2.6/xfs_ioctl32.c
parent	e40152ee1e1c7a63f4777791863215e3faa37a86 (diff)