zfs: fix integer truncation in zap_lookup

Size after shift could exceed 16 bits; use grub_unit32_t for result.

Reported and tested by: Kostya Berger <bergerkos@yahoo.co.uk>
Closes: 44448
This commit is contained in:
Andrei Borzenkov 2015-05-14 07:50:33 +03:00
parent 5082ea6184
commit 5370dcfdae

View file

@ -2071,10 +2071,10 @@ dmu_read (dnode_end_t * dn, grub_uint64_t blkid, void **buf,
*/ */
static grub_err_t static grub_err_t
mzap_lookup (mzap_phys_t * zapobj, grub_zfs_endian_t endian, mzap_lookup (mzap_phys_t * zapobj, grub_zfs_endian_t endian,
grub_uint16_t objsize, const char *name, grub_uint64_t * value, grub_uint32_t objsize, const char *name, grub_uint64_t * value,
int case_insensitive) int case_insensitive)
{ {
grub_uint16_t i, chunks; grub_uint32_t i, chunks;
mzap_ent_phys_t *mzap_ent = zapobj->mz_chunk; mzap_ent_phys_t *mzap_ent = zapobj->mz_chunk;
if (objsize < MZAP_ENT_LEN) if (objsize < MZAP_ENT_LEN)
@ -2486,7 +2486,7 @@ zap_lookup (dnode_end_t * zap_dnode, const char *name, grub_uint64_t *val,
struct grub_zfs_data *data, int case_insensitive) struct grub_zfs_data *data, int case_insensitive)
{ {
grub_uint64_t block_type; grub_uint64_t block_type;
grub_uint16_t size; grub_uint32_t size;
void *zapbuf; void *zapbuf;
grub_err_t err; grub_err_t err;
grub_zfs_endian_t endian; grub_zfs_endian_t endian;
@ -2494,7 +2494,7 @@ zap_lookup (dnode_end_t * zap_dnode, const char *name, grub_uint64_t *val,
grub_dprintf ("zfs", "looking for '%s'\n", name); grub_dprintf ("zfs", "looking for '%s'\n", name);
/* Read in the first block of the zap object data. */ /* Read in the first block of the zap object data. */
size = grub_zfs_to_cpu16 (zap_dnode->dn.dn_datablkszsec, size = (grub_uint32_t) grub_zfs_to_cpu16 (zap_dnode->dn.dn_datablkszsec,
zap_dnode->endian) << SPA_MINBLOCKSHIFT; zap_dnode->endian) << SPA_MINBLOCKSHIFT;
err = dmu_read (zap_dnode, 0, &zapbuf, &endian, data); err = dmu_read (zap_dnode, 0, &zapbuf, &endian, data);
if (err) if (err)