From patchwork Sun Jan 18 23:15:13 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: MTD: a negative devlength won't get noticed Date: Sun, 18 Jan 2009 13:15:13 -0000 From: roel kluin X-Patchwork-Id: 19231 Message-Id: <4973B801.5050408@gmail.com> To: dwmw2@infradead.org Cc: linux-mtd@lists.infradead.org a negative devlength won't get noticed and clean up: Signed-off-by: Roel Kluin --- devstart and devlength are unsigned longs and handle_unit() can only return positive. so a negative devstart won't occur, only a negative devlength can when (*(szlength) != '+'). for hadle_unit() see vi drivers/mtd/devices/slram.c +244 diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c index a425d09..00248e8 100644 --- a/drivers/mtd/devices/slram.c +++ b/drivers/mtd/devices/slram.c @@ -267,22 +267,28 @@ static int parse_cmdline(char *devname, char *szstart, char *szlength) if (*(szlength) != '+') { devlength = simple_strtoul(szlength, &buffer, 0); devlength = handle_unit(devlength, buffer) - devstart; + if (devlength < devstart) + goto err_out; + + devlength -= devstart; } else { devlength = simple_strtoul(szlength + 1, &buffer, 0); devlength = handle_unit(devlength, buffer); } T("slram: devname=%s, devstart=0x%lx, devlength=0x%lx\n", devname, devstart, devlength); - if ((devstart < 0) || (devlength < 0) || (devlength % SLRAM_BLK_SZ != 0)) { - E("slram: Illegal start / length parameter.\n"); - return(-EINVAL); - } + if (devlength % SLRAM_BLK_SZ != 0) + goto err_out; if ((devstart = register_device(devname, devstart, devlength))){ unregister_devices(); return((int)devstart); } return(0); + +err_out: + E("slram: Illegal length parameter.\n"); + return(-EINVAL); } #ifndef MODULE