UBI: fix out of bounds write

commit d74adbdb upstream. If aeb->len >= vol->reserved_pebs, we should not be writing aeb into the PEB->LEB mapping. Caught by Coverity, CID #711212. Signed-off-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Richard Weinberger <richard@nod.at> [bwh: Backported to 3.2: adjust context; s/leb/seb/g] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

UBI: fix out of bounds write
commit d74adbdb upstream. If aeb->len >= vol->reserved_pebs, we should not be writing aeb into the PEB->LEB mapping. Caught by Coverity, CID #711212. Signed-off-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Richard Weinberger <richard@nod.at> [bwh: Backported to 3.2: adjust context; s/leb/seb/g] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
4d1519d8 · Brian Norris · Ben Hutchings · 5daa0af6 · 4d1519d8
Commit 4d1519d8 authored Feb 28, 2015 by Brian Norris Committed by Ben Hutchings Aug 07, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

drivers/mtd/ubi/eba.c drivers/mtd/ubi/eba.c +2 -1

No files found.
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -1261,7 +1261,8 @@ int ubi_eba_init_scan(struct ubi_device *ubi, struct ubi_scan_info *si)
 				 * during re-size.
 				 */
 				ubi_scan_move_to_list(sv, seb, &si->erase);
-			vol->eba_tbl[seb->lnum] = seb->pnum;
+			else
+				vol->eba_tbl[seb->lnum] = seb->pnum;
 		}
 	}