From: Xi Wang <xi.wang@gmail.com>
Date: Fri, 20 Apr 2012 20:49:44 +0000 (-0500)
Subject: rbd: fix integer overflow in rbd_header_from_disk()
X-Git-Tag: v3.5-rc1~36^2~29
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50f7c4c967d0b5acd8e7ba6ab654dc4a7ac869ac;p=pandora-kernel.git

rbd: fix integer overflow in rbd_header_from_disk()

ondisk->snap_count is read from disk via rbd_req_sync_read() and thus
needs validation.  Otherwise, a bogus `snap_count' could overflow the
kmalloc() size, leading to memory corruption.

Also use `u32' consistently for `snap_count'.

[elder@dreamhost.com: changed to use UINT_MAX rather than ULONG_MAX]

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Alex Elder <elder@dreamhost.com>
---

Reading git-diff-tree failed