It looks like if the passed in parameter is not present, but parameter length is non zero, then sanity checks on the length are skipped and lstcon_test_add() might then use incorrect allocation that's prone to integer overflow size. This patch ensures that parameter len is zero if parameter is not present. Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Oleg Drokin <green@xxxxxxxxxxxxxx> --- drivers/staging/lustre/lnet/selftest/conctl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/staging/lustre/lnet/selftest/conctl.c b/drivers/staging/lustre/lnet/selftest/conctl.c index 02847bf..9438302 100644 --- a/drivers/staging/lustre/lnet/selftest/conctl.c +++ b/drivers/staging/lustre/lnet/selftest/conctl.c @@ -742,6 +742,10 @@ static int lst_test_add_ioctl(lstio_test_args_t *args) PAGE_SIZE - sizeof(struct lstcon_test))) return -EINVAL; + /* Enforce zero parameter length if there's no parameter */ + if (!args->lstio_tes_param && args->lstio_tes_param_len) + return -EINVAL; + LIBCFS_ALLOC(batch_name, args->lstio_tes_bat_nmlen + 1); if (!batch_name) return rc; -- 2.7.4 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
