Hi Oleg,
The patch d7e09d0397e8: "staging: add Lustre file system client
support" from May 2, 2013, leads to the following static checker
warning:
drivers/staging/lustre/lustre/llite/file.c:1730 ll_fid2path()
error: memcpy() 'gfout' too small
drivers/staging/lustre/lustre/llite/file.c
1719 if (copy_from_user(gfin, arg, sizeof(*gfin))) {
1720 OBD_FREE_PTR(gfin);
1721 return -EFAULT;
1722 }
1723
1724 outsize = sizeof(*gfout) + gfin->gf_pathlen;
outsize is an int.
gfin->gf_pathlen is a u32 which comes from the user.
The addition can overflow so outsize is less than sizeof(*gfout).
1725 OBD_ALLOC(gfout, outsize);
1726 if (gfout == NULL) {
1727 OBD_FREE_PTR(gfin);
1728 return -ENOMEM;
1729 }
1730 memcpy(gfout, gfin, sizeof(*gfout));
It would lead to memory corruption here. Probably we should add
something like:
if (gfin->gf_pathlen > PATH_MAX)
return -EINVAL;
Is that the right limit here?
1731 OBD_FREE_PTR(gfin);
1732
1733 /* Call mdc_iocontrol */
1734 rc = obd_iocontrol(OBD_IOC_FID2PATH, exp, outsize, gfout, NULL);
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
