diff options
| author | Brian Norris <computersforpeace@gmail.com> | 2015-02-28 11:13:13 +0100 |
|---|---|---|
| committer | Brian Norris <computersforpeace@gmail.com> | 2015-05-07 05:02:37 +0200 |
| commit | f5cd2ae1e4ad23bc6527b4a667d3f27534730cc5 (patch) | |
| tree | db6afc8de0be0581cffc2d7a0999f13614514f4a /drivers/mtd/nand/nand_bbt.c | |
| parent | mtd: nand_bbt: unify/fix error handling in nand_scan_bbt() (diff) | |
| download | linux-f5cd2ae1e4ad23bc6527b4a667d3f27534730cc5.tar.xz linux-f5cd2ae1e4ad23bc6527b4a667d3f27534730cc5.zip | |
mtd: nand_bbt: fix theoretical integer overflow in BBT write
This statement was written with a cast-to-loff_t to be sure to have a
full 64-bit mask. However, we don't account for the fact that
'1 << this->bbt_erase_shift' might already overflow.
This will not be a problem in practice, since eraseblocks should never
be anywhere near 4GiB. But we can do this for completeness, and quiet
Coverity in the meantime. CID #1226806.
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Diffstat (limited to 'drivers/mtd/nand/nand_bbt.c')
| -rw-r--r-- | drivers/mtd/nand/nand_bbt.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/mtd/nand/nand_bbt.c b/drivers/mtd/nand/nand_bbt.c index 516db2c4524b..2c4fa1a17031 100644 --- a/drivers/mtd/nand/nand_bbt.c +++ b/drivers/mtd/nand/nand_bbt.c @@ -719,7 +719,7 @@ static int write_bbt(struct mtd_info *mtd, uint8_t *buf, /* Must we save the block contents? */ if (td->options & NAND_BBT_SAVECONTENT) { /* Make it block aligned */ - to &= ~((loff_t)((1 << this->bbt_erase_shift) - 1)); + to &= ~(((loff_t)1 << this->bbt_erase_shift) - 1); len = 1 << this->bbt_erase_shift; res = mtd_read(mtd, to, len, &retlen, buf); if (res < 0) { |