The short_io_size value is accepting unsigned values from
req_capsule_get_size, and so needs to be unsigned as well.
If it's not, it's possible for the short_io_size memcopy to
act on an incorrect value and cause memory corruption.
Reported-by: Alibaba Cloud <yunye.ry@alibaba-inc.com>
Signed-off-by: Patrick Farrell <pfarrell@whamcloud.com>
Change-Id: I043e314cd43a7b40519f951a605fa5a36ff91dcf
Reviewed-on: https://review.whamcloud.com/35653
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
EXPORT_SYMBOL(tgt_brw_read);
static int tgt_shortio2pages(struct niobuf_local *local, int npages,
- unsigned char *buf, int size)
+ unsigned char *buf, unsigned int size)
{
int i, off, len;
char *ptr;
if (rc < 0)
GOTO(out_lock, rc);
if (body->oa.o_flags & OBD_FL_SHORT_IO) {
- int short_io_size;
+ unsigned int short_io_size;
unsigned char *short_io_buf;
short_io_size = req_capsule_get_size(&req->rq_pill,