diff options
| author | Brian Norris <computersforpeace@gmail.com> | 2015-02-28 02:23:26 -0800 |
|---|---|---|
| committer | Richard Weinberger <richard@nod.at> | 2015-03-26 12:07:17 +0100 |
| commit | d74adbdb9abf0d2506a6c4afa534d894f28b763f (patch) | |
| tree | 0d5f9eab00ec5a117e8c665dd249456978e7decd /drivers/mtd/ubi | |
| parent | 8eef7d70f7c6772c3490f410ee2bceab3b543fa1 (diff) | |
| download | op-kernel-dev-d74adbdb9abf0d2506a6c4afa534d894f28b763f.zip op-kernel-dev-d74adbdb9abf0d2506a6c4afa534d894f28b763f.tar.gz | |
UBI: fix out of bounds write
If aeb->len >= vol->reserved_pebs, we should not be writing aeb into the
PEB->LEB mapping.
Caught by Coverity, CID #711212.
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Diffstat (limited to 'drivers/mtd/ubi')
| -rw-r--r-- | drivers/mtd/ubi/eba.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c index 16e34b3..8c9a710 100644 --- a/drivers/mtd/ubi/eba.c +++ b/drivers/mtd/ubi/eba.c @@ -1419,7 +1419,8 @@ int ubi_eba_init(struct ubi_device *ubi, struct ubi_attach_info *ai) * during re-size. */ ubi_move_aeb_to_list(av, aeb, &ai->erase); - vol->eba_tbl[aeb->lnum] = aeb->pnum; + else + vol->eba_tbl[aeb->lnum] = aeb->pnum; } } |
