| Message ID | 4A3FBDA2.3070403@gmail.com |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, 2009-06-22 at 19:21 +0200, Roel Kluin wrote: > when size_t `len' is negative it is wrapped so the test `len < 0' fails. > `from' and `to' have type loff_t (signed). During the addition `len' is > converted to signed. So when `len' is negative `from + len` can be > less than `mtd->size' while `from' is larger than `mtd->size'. This > patch fixes this. > > Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Thanks, pushed to ubi-2.6.git tree with slightly amended commit message: commit cf9e1e425172035575bee070df031c8a58015cb8 Author: Roel Kluin <roel.kluin@gmail.com> Date: Mon Jun 22 19:21:38 2009 +0200 UBI: fix input parameters check in gluebi size_t `len' is unsigned `len < 0' always fails. `from' and `to' have type loff_t (signed). During the addition `len' is converted to signed. So when `len' is negative `from + len` can be less than `mtd->size' while `from' is larger than `mtd->size'. This patch fixes this. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
diff --git a/drivers/mtd/ubi/gluebi.c b/drivers/mtd/ubi/gluebi.c index 95aaac0..093729b 100644 --- a/drivers/mtd/ubi/gluebi.c +++ b/drivers/mtd/ubi/gluebi.c @@ -173,7 +173,7 @@ static int gluebi_read(struct mtd_info *mtd, loff_t from, size_t len, int err = 0, lnum, offs, total_read; struct gluebi_device *gluebi; - if (len < 0 || from < 0 || from + len > mtd->size) + if (len > mtd->size || from < 0 || from + len > mtd->size) return -EINVAL; gluebi = container_of(mtd, struct gluebi_device, mtd); @@ -217,7 +217,7 @@ static int gluebi_write(struct mtd_info *mtd, loff_t to, size_t len, int err = 0, lnum, offs, total_written; struct gluebi_device *gluebi; - if (len < 0 || to < 0 || len + to > mtd->size) + if (len > mtd->size || to < 0 || len + to > mtd->size) return -EINVAL; gluebi = container_of(mtd, struct gluebi_device, mtd);
when size_t `len' is negative it is wrapped so the test `len < 0' fails. `from' and `to' have type loff_t (signed). During the addition `len' is converted to signed. So when `len' is negative `from + len` can be less than `mtd->size' while `from' is larger than `mtd->size'. This patch fixes this. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> --- It should be correct, but please review.