Reported by Dan Carpenter <dan.carpen...@oracle.com>

outsize = sizeof(*gfout) + gfin->gf_pathlen;

Where outsize is int and gf_pathlen is u32 from userspace
can lead to integer overflowwhere outsize is some small number
less than sizeof(*gfout)

Add a check for pathlen to be of sensical size.

Signed-off-by: Oleg Drokin <oleg.dro...@intel.com>
Reviewed-on: http://review.whamcloud.com/11412
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-5476
Reviewed-by: Dmitry Eremin <dmitry.ere...@intel.com>
Reviewed-by: John L. Hammond <john.hamm...@intel.com>
---
 drivers/staging/lustre/lustre/llite/file.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/staging/lustre/lustre/llite/file.c 
b/drivers/staging/lustre/lustre/llite/file.c
index d3874e1..4a33638 100644
--- a/drivers/staging/lustre/lustre/llite/file.c
+++ b/drivers/staging/lustre/lustre/llite/file.c
@@ -1719,6 +1719,9 @@ int ll_fid2path(struct inode *inode, void __user *arg)
        if (get_user(pathlen, &gfin->gf_pathlen))
                return -EFAULT;
 
+       if (pathlen > PATH_MAX)
+               return -EINVAL;
+
        outsize = sizeof(*gfout) + pathlen;
 
        OBD_ALLOC(gfout, outsize);
-- 
1.9.3

_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Reply via email to