From patchwork Sun Jan 18 23:15:13 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: roel kluin <roel.kluin@gmail.com>
X-Patchwork-Id: 19231
Return-Path: 
 <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org [18.85.46.34])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 1242CDDDCA
	for <incoming@patchwork.ozlabs.org>;
	Mon, 19 Jan 2009 10:18:01 +1100 (EST)
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux))
	id 1LOgrS-0007bL-GD; Sun, 18 Jan 2009 23:15:22 +0000
Received: from mail-ew0-f20.google.com ([209.85.219.20])
	by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux))
	id 1LOgrK-0007ao-3J
	for linux-mtd@lists.infradead.org; Sun, 18 Jan 2009 23:15:16 +0000
Received: by ewy13 with SMTP id 13so157732ewy.18
	for <linux-mtd@lists.infradead.org>;
	Sun, 18 Jan 2009 15:15:12 -0800 (PST)
Received: by 10.210.35.10 with SMTP id i10mr5035064ebi.53.1232320512077;
	Sun, 18 Jan 2009 15:15:12 -0800 (PST)
Received: from ?192.168.1.115? (d133062.upc-d.chello.nl [213.46.133.62])
	by mx.google.com with ESMTPS id
	k5sm12404099nfh.52.2009.01.18.15.15.11
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Sun, 18 Jan 2009 15:15:11 -0800 (PST)
Message-ID: <4973B801.5050408@gmail.com>
Date: Mon, 19 Jan 2009 00:15:13 +0100
From: Roel Kluin <roel.kluin@gmail.com>
User-Agent: Thunderbird 2.0.0.18 (X11/20081105)
MIME-Version: 1.0
To: dwmw2@infradead.org
Subject: [PATCH] MTD: a negative devlength won't get noticed
X-Spam-Score: 0.0 (/)
Cc: linux-mtd@lists.infradead.org
X-BeenThere: linux-mtd@lists.infradead.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-mtd>
List-Post: <mailto:linux-mtd@lists.infradead.org>
List-Help: <mailto:linux-mtd-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>
Sender: linux-mtd-bounces@lists.infradead.org
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

a negative devlength won't get noticed and clean up:

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
devstart and devlength are unsigned longs and handle_unit() can only
return positive. so a negative devstart won't occur, only a negative
devlength can when (*(szlength) != '+').

for hadle_unit() see
vi drivers/mtd/devices/slram.c +244

diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
index a425d09..00248e8 100644
--- a/drivers/mtd/devices/slram.c
+++ b/drivers/mtd/devices/slram.c
@@ -267,22 +267,28 @@ static int parse_cmdline(char *devname, char *szstart, char *szlength)
 	if (*(szlength) != '+') {
 		devlength = simple_strtoul(szlength, &buffer, 0);
 		devlength = handle_unit(devlength, buffer) - devstart;
+		if (devlength < devstart)
+			goto err_out;
+
+		devlength -= devstart;
 	} else {
 		devlength = simple_strtoul(szlength + 1, &buffer, 0);
 		devlength = handle_unit(devlength, buffer);
 	}
 	T("slram: devname=%s, devstart=0x%lx, devlength=0x%lx\n",
 			devname, devstart, devlength);
-	if ((devstart < 0) || (devlength < 0) || (devlength % SLRAM_BLK_SZ != 0)) {
-		E("slram: Illegal start / length parameter.\n");
-		return(-EINVAL);
-	}
+	if (devlength % SLRAM_BLK_SZ != 0)
+		goto err_out;
 
 	if ((devstart = register_device(devname, devstart, devlength))){
 		unregister_devices();
 		return((int)devstart);
 	}
 	return(0);
+
+err_out:
+	E("slram: Illegal length parameter.\n");
+	return(-EINVAL);
 }
 
 #ifndef MODULE