dm raid: fix a couple integer overflows

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

My static checker complains that if "num_raid_params" is UINT_MAX then
the "if (num_raid_params + 1 > argc) {" check doesn't work as intended.

The other change is that I moved the "if (argc != (num_raid_devs * 2))"
condition forward a few lines so it was before the call to
context_alloc(). If we had an integer overflow inside that function
then it would lead to an immediate crash.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>

authored by

Dan Carpenter and committed by

Mike Snitzer 11 years ago 3ca5a21a 65803c20

+7 -9

1 changed file

expand all

drivers

dm-raid.c

+7 -9

drivers/md/dm-raid.c

··· 1243 1243 argv++; 1244 1244 1245 1245 /* Skip over RAID params for now and find out # of devices */ 1246 - if (num_raid_params + 1 > argc) { 1246 + if (num_raid_params >= argc) { 1247 1247 ti->error = "Arguments do not agree with counts given"; 1248 1248 return -EINVAL; 1249 1249 } ··· 1251 1251 if ((kstrtoul(argv[num_raid_params], 10, &num_raid_devs) < 0) || 1252 1252 (num_raid_devs >= INT_MAX)) { 1253 1253 ti->error = "Cannot understand number of raid devices"; 1254 + return -EINVAL; 1255 + } 1256 + 1257 + argc -= num_raid_params + 1; /* +1: we already have num_raid_devs */ 1258 + if (argc != (num_raid_devs * 2)) { 1259 + ti->error = "Supplied RAID devices does not match the count given"; 1254 1260 return -EINVAL; 1255 1261 } 1256 1262 ··· 1268 1262 if (ret) 1269 1263 goto bad; 1270 1264 1271 - ret = -EINVAL; 1272 - 1273 - argc -= num_raid_params + 1; /* +1: we already have num_raid_devs */ 1274 1265 argv += num_raid_params + 1; 1275 - 1276 - if (argc != (num_raid_devs * 2)) { 1277 - ti->error = "Supplied RAID devices does not match the count given"; 1278 - goto bad; 1279 - } 1280 1266 1281 1267 ret = dev_parms(rs, argv); 1282 1268 if (ret)