From: Dan Carpenter dan.carpenter@oracle.com
commit 23a9dbbe0faf124fc4c139615633b9d12a3a89ef upstream.
On a 32 bit system, the "len * sizeof(*p)" operation can have an integer overflow.
Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Chuck Lever chuck.lever@oracle.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- include/linux/sunrpc/xdr.h | 2 ++ 1 file changed, 2 insertions(+)
--- a/include/linux/sunrpc/xdr.h +++ b/include/linux/sunrpc/xdr.h @@ -509,6 +509,8 @@ xdr_stream_decode_uint32_array(struct xd
if (unlikely(xdr_stream_decode_u32(xdr, &len) < 0)) return -EBADMSG; + if (len > SIZE_MAX / sizeof(*p)) + return -EBADMSG; p = xdr_inline_decode(xdr, len * sizeof(*p)); if (unlikely(!p)) return -EBADMSG;