From patchwork Mon Jun 22 17:21:38 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: ubi: gluebi_{read, write} len + {from, to} can exceed mtd->size
Date: Mon, 22 Jun 2009 07:21:38 -0000
From: roel kluin <roel.kluin@gmail.com>
X-Patchwork-Id: 29003
Message-Id: <4A3FBDA2.3070403@gmail.com>
To: dedekind@infradead.org
Cc: Andrew Morton <akpm@linux-foundation.org>, linux-mtd@lists.infradead.org

when size_t `len' is negative it is wrapped so the test `len < 0' fails.
`from' and `to' have type loff_t (signed). During the addition `len' is
converted to signed. So when `len' is negative `from + len` can be
less than `mtd->size' while `from' is larger than `mtd->size'. This
patch fixes this.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>

---
It should be correct, but please review.

diff --git a/drivers/mtd/ubi/gluebi.c b/drivers/mtd/ubi/gluebi.c
index 95aaac0..093729b 100644
--- a/drivers/mtd/ubi/gluebi.c
+++ b/drivers/mtd/ubi/gluebi.c
@@ -173,7 +173,7 @@ static int gluebi_read(struct mtd_info *mtd, loff_t from, size_t len,
 	int err = 0, lnum, offs, total_read;
 	struct gluebi_device *gluebi;
 
-	if (len < 0 || from < 0 || from + len > mtd->size)
+	if (len > mtd->size || from < 0 || from + len > mtd->size)
 		return -EINVAL;
 
 	gluebi = container_of(mtd, struct gluebi_device, mtd);
@@ -217,7 +217,7 @@ static int gluebi_write(struct mtd_info *mtd, loff_t to, size_t len,
 	int err = 0, lnum, offs, total_written;
 	struct gluebi_device *gluebi;
 
-	if (len < 0 || to < 0 || len + to > mtd->size)
+	if (len > mtd->size || to < 0 || len + to > mtd->size)
 		return -EINVAL;
 
 	gluebi = container_of(mtd, struct gluebi_device, mtd);