[PATCH] ubi: gluebi_{read,write} len + {from,to} can exceed mtd->size

Artem Bityutskiy dedekind at infradead.org
Mon Jun 22 12:17:09 EDT 2009


On Mon, 2009-06-22 at 19:21 +0200, Roel Kluin wrote:
> when size_t `len' is negative it is wrapped so the test `len < 0' fails.
> `from' and `to' have type loff_t (signed). During the addition `len' is
> converted to signed. So when `len' is negative `from + len` can be
> less than `mtd->size' while `from' is larger than `mtd->size'. This
> patch fixes this.
> 
> Signed-off-by: Roel Kluin <roel.kluin at gmail.com>

Thanks, pushed to ubi-2.6.git tree with slightly amended commit message:

commit cf9e1e425172035575bee070df031c8a58015cb8
Author: Roel Kluin <roel.kluin at gmail.com>
Date:   Mon Jun 22 19:21:38 2009 +0200

    UBI: fix input parameters check in gluebi

    size_t `len' is unsigned `len < 0' always fails.
    `from' and `to' have type loff_t (signed). During the addition `len' is
    converted to signed. So when `len' is negative `from + len` can be
    less than `mtd->size' while `from' is larger than `mtd->size'. This
    patch fixes this.

    Signed-off-by: Roel Kluin <roel.kluin at gmail.com>
    Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy at nokia.com>

-- 
Best regards,
Artem Bityutskiy (Битюцкий Артём)




More information about the linux-mtd mailing list