If size is smaller than the lov_user_md struct then we are reading
beyond the end of the buffer. I guess this is an information leak or it
could cause an Oops if the memory is not mapped.
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
---
This was discovered through a code audit. I'm not terribly familiar
with this code and I haven't tested it. Please review it carefully.
diff --git a/drivers/staging/lustre/lustre/llite/xattr.c
b/drivers/staging/lustre/lustre/llite/xattr.c
index 252a619..75abb97 100644
--- a/drivers/staging/lustre/lustre/llite/xattr.c
+++ b/drivers/staging/lustre/lustre/llite/xattr.c
@@ -223,6 +223,9 @@ int ll_setxattr(struct dentry *dentry, const char *name,
CDEBUG(D_VFSTRACE, "VFS Op:inode=%lu/%u(%p), xattr %s\n",
inode->i_ino, inode->i_generation, inode, name);
+ if (size != 0 && size < sizeof(struct lov_user_md))
+ return -EINVAL;
+
ll_stats_ops_tally(ll_i2sbi(inode), LPROC_LL_SETXATTR, 1);
if ((strncmp(name, XATTR_TRUSTED_PREFIX,
_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
