From patchwork Thu Sep 27 20:49:08 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 1515711 Return-Path: X-Original-To: patchwork-cifs-client@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id B8A9FE00FF for ; Thu, 27 Sep 2012 20:49:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754926Ab2I0Utp (ORCPT ); Thu, 27 Sep 2012 16:49:45 -0400 Received: from acsinet15.oracle.com ([141.146.126.227]:26230 "EHLO acsinet15.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754952Ab2I0Utl (ORCPT ); Thu, 27 Sep 2012 16:49:41 -0400 Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by acsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q8RKnHZp029745 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 27 Sep 2012 20:49:17 GMT Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q8RKnGH6023360 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Sep 2012 20:49:17 GMT Received: from abhmt117.oracle.com (abhmt117.oracle.com [141.146.116.69]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q8RKnG8C007441; Thu, 27 Sep 2012 15:49:16 -0500 Received: from elgon.mountain (/41.212.103.53) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 27 Sep 2012 13:49:16 -0700 Date: Thu, 27 Sep 2012 23:49:08 +0300 From: Dan Carpenter To: Steve French Cc: linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, kernel-janitors@vger.kernel.org Subject: [patch] cifs: proper fix for integer overflow in parse_dacl() Message-ID: <20120927204908.GA13222@elgon.mountain> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Source-IP: acsinet22.oracle.com [141.146.126.238] Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org I tried to fix this before by adding the ULONG_MAX check, but num_aces is an unsigned int so it should have been UINT_MAX. Sorry for that. These days we can just call kmalloc_array() which has the overflow check built in. Reported-by: pipacs Signed-off-by: Dan Carpenter --- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c index 2ee5c54..bc9fcfb 100644 --- a/fs/cifs/cifsacl.c +++ b/fs/cifs/cifsacl.c @@ -910,9 +910,7 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl, umode_t group_mask = S_IRWXG; umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO; - if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *)) - return; - ppace = kmalloc(num_aces * sizeof(struct cifs_ace *), + ppace = kmalloc_array(num_aces, sizeof(struct cifs_ace *), GFP_KERNEL); if (!ppace) { cERROR(1, "DACL memory allocation error");