[Drbd-dev] [patch] drbd: potential integer overflow in receive_SyncParam()

Lars Ellenberg lars.ellenberg at linbit.com
Tue Jun 12 14:25:06 CEST 2012


On Tue, Jun 12, 2012 at 10:43:11AM +0300, Dan Carpenter wrote:
> I believe this comes from the network so there is a risk of integer
> overflow on 32 bit.  Using kcalloc() is a little cleaner as well.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> 
> diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
> index ea4836e..1e27876 100644
> --- a/drivers/block/drbd/drbd_receiver.c
> +++ b/drivers/block/drbd/drbd_receiver.c
> @@ -2902,7 +2902,7 @@ static int receive_SyncParam(struct drbd_conf *mdev, enum drbd_packets cmd, unsi
>  
>  			fifo_size = (mdev->sync_conf.c_plan_ahead * 10 * SLEEP_TIME) / HZ;
>  			if (fifo_size != mdev->rs_plan_s.size && fifo_size > 0) {
> -				rs_plan_s   = kzalloc(sizeof(int) * fifo_size, GFP_KERNEL);
> +				rs_plan_s = kcalloc(fifo_size, sizeof(int), GFP_KERNEL);
>  				if (!rs_plan_s) {
>  					dev_err(DEV, "kmalloc of fifo_buffer failed");
>  					goto disconnect;

sync_conf.c_plan_ahead is capped at 300 by drbdsetup.
But yes, since this is not enforced in kernel code,
your fix is correct.


	Lars


More information about the drbd-dev mailing list