UBI: fix out of bounds write

commit d74adbdb9abf0d2506a6c4afa534d894f28b763f upstream.

If aeb->len >= vol->reserved_pebs, we should not be writing aeb into the
PEB->LEB mapping.

Caught by Coverity, CID #711212.

Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
[lizf: Backported to 3.4: adjust context]
Signed-off-by: Zefan Li <lizefan@huawei.com>

diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
index 2455d620d96b8a4c1ecc86def50d1bd580766ece..9abc0ea6702e8f1f9793c8cfd5aa1935c620ef74 100644 (file)
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -1261,7 +1261,8 @@ int ubi_eba_init_scan(struct ubi_device *ubi, struct ubi_scan_info *si)
                                 * during re-size.
                                 */
                                ubi_scan_move_to_list(sv, seb, &si->erase);
-                       vol->eba_tbl[seb->lnum] = seb->pnum;
+                       else
+                               vol->eba_tbl[seb->lnum] = seb->pnum;
                }
        }