Reported by Dan Carpenter <dan.carpenter@xxxxxxxxxx> outsize = sizeof(*gfout) + gfin->gf_pathlen; Where outsize is int and gf_pathlen is u32 from userspace can lead to integer overflowwhere outsize is some small number less than sizeof(*gfout) Add a check for pathlen to be of sensical size. Signed-off-by: Oleg Drokin <oleg.drokin@xxxxxxxxx> Reviewed-on: http://review.whamcloud.com/11412 Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-5476 Reviewed-by: Dmitry Eremin <dmitry.eremin@xxxxxxxxx> Reviewed-by: John L. Hammond <john.hammond@xxxxxxxxx> --- drivers/staging/lustre/lustre/llite/file.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/staging/lustre/lustre/llite/file.c b/drivers/staging/lustre/lustre/llite/file.c index d3874e1..4a33638 100644 --- a/drivers/staging/lustre/lustre/llite/file.c +++ b/drivers/staging/lustre/lustre/llite/file.c @@ -1719,6 +1719,9 @@ int ll_fid2path(struct inode *inode, void __user *arg) if (get_user(pathlen, &gfin->gf_pathlen)) return -EFAULT; + if (pathlen > PATH_MAX) + return -EINVAL; + outsize = sizeof(*gfout) + pathlen; OBD_ALLOC(gfout, outsize); -- 1.9.3 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
