summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMikulas Patocka <mpatocka@redhat.com>2013-11-22 19:52:06 -0500
committerMike Snitzer <snitzer@redhat.com>2013-12-10 16:34:27 -0500
commit5b2d06576c5410c10d95adfd5c4d8b24de861d87 (patch)
tree252b895b66b63a84a166af0142472cdf3a1c3640
parent230c83afdd9cd384348475bea1e14b80b3b6b1b8 (diff)
dm table: fail dm_table_create on dm_round_up overflow
The dm_round_up function may overflow to zero. In this case, dm_table_create() must fail rather than go on to allocate an empty array with alloc_targets(). This fixes a possible memory corruption that could be caused by passing too large a number in "param->target_count". Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Mike Snitzer <snitzer@redhat.com> Cc: stable@vger.kernel.org
-rw-r--r--drivers/md/dm-table.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index 465f08ca62b..3ba6a3859ce 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -200,6 +200,11 @@ int dm_table_create(struct dm_table **result, fmode_t mode,
num_targets = dm_round_up(num_targets, KEYS_PER_NODE);
+ if (!num_targets) {
+ kfree(t);
+ return -ENOMEM;
+ }
+
if (alloc_targets(t, num_targets)) {
kfree(t);
return -ENOMEM;