diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2006-11-29 13:35:08 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2006-11-29 13:35:08 +0000 |
| commit | 98e934b77f487171b7edcd32d0faeee948fd86cf (patch) | |
| tree | b297deacfd57bd906a20c174d6685fc1a26e938a /sys/msdosfs | |
| parent | df4d27fcc53d5ecccd721719b88144eafda3edbd (diff) | |
detect potential multiplicative overflow before allocation, and return via
the error path; ok pedro
Diffstat (limited to 'sys/msdosfs')
| -rw-r--r-- | sys/msdosfs/msdosfs_vfsops.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/sys/msdosfs/msdosfs_vfsops.c b/sys/msdosfs/msdosfs_vfsops.c index f164a4b5156..114644f0e9f 100644 --- a/sys/msdosfs/msdosfs_vfsops.c +++ b/sys/msdosfs/msdosfs_vfsops.c @@ -1,4 +1,4 @@ -/* $OpenBSD: msdosfs_vfsops.c,v 1.41 2006/11/26 00:59:32 pedro Exp $ */ +/* $OpenBSD: msdosfs_vfsops.c,v 1.42 2006/11/29 13:35:07 deraadt Exp $ */ /* $NetBSD: msdosfs_vfsops.c,v 1.48 1997/10/18 02:54:57 briggs Exp $ */ /*- @@ -270,7 +270,7 @@ msdosfs_mountfs(devvp, mp, p, argp) struct byte_bpb710 *b710; extern struct vnode *rootvp; u_int8_t SecPerClust; - int ronly, error; + int ronly, error, bmapsiz; int bsize = 0, dtype = 0, tmp; uint32_t dirsperblk; @@ -539,10 +539,14 @@ msdosfs_mountfs(devvp, mp, p, argp) * Allocate memory for the bitmap of allocated clusters, and then * fill it in. */ - pmp->pm_inusemap = malloc(((pmp->pm_maxcluster + N_INUSEBITS - 1) - / N_INUSEBITS) - * sizeof(*pmp->pm_inusemap), - M_MSDOSFSFAT, M_WAITOK | M_CANFAIL); + bmapsiz = (pmp->pm_maxcluster + N_INUSEBITS - 1) / N_INUSEBITS; + if (bmapsiz == 0 || SIZE_MAX / bmapsiz < sizeof(*pmp->pm_inusemap)) { + /* detect multiplicative integer overflow */ + error = EINVAL; + goto error_exit; + } + pmp->pm_inusemap = malloc(bmapsiz * sizeof(*pmp->pm_inusemap), + M_MSDOSFSFAT, M_WAITOK | M_CANFAIL); if (pmp->pm_inusemap == NULL) { error = EINVAL; goto error_exit; |