If size is smaller than the lov_user_md struct then we are reading beyond the end of the buffer. I guess this is an information leak or it could cause an Oops if the memory is not mapped. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- This was discovered through a code audit. I'm not terribly familiar with this code and I haven't tested it. Please review it carefully. diff --git a/drivers/staging/lustre/lustre/llite/xattr.c b/drivers/staging/lustre/lustre/llite/xattr.c index 252a619..75abb97 100644 --- a/drivers/staging/lustre/lustre/llite/xattr.c +++ b/drivers/staging/lustre/lustre/llite/xattr.c @@ -223,6 +223,9 @@ int ll_setxattr(struct dentry *dentry, const char *name, CDEBUG(D_VFSTRACE, "VFS Op:inode=%lu/%u(%p), xattr %s\n", inode->i_ino, inode->i_generation, inode, name); + if (size != 0 && size < sizeof(struct lov_user_md)) + return -EINVAL; + ll_stats_ops_tally(ll_i2sbi(inode), LPROC_LL_SETXATTR, 1); if ((strncmp(name, XATTR_TRUSTED_PREFIX, -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
