staging/lustre/llite: Fix integer overflow in ll_fid2path
authorOleg Drokin <green@linuxhacker.ru>
Fri, 15 Aug 2014 16:48:13 +0000 (12:48 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 17 Aug 2014 16:38:43 +0000 (09:38 -0700)
Reported by Dan Carpenter <dan.carpenter@oracle.com>

outsize = sizeof(*gfout) + gfin->gf_pathlen;

Where outsize is int and gf_pathlen is u32 from userspace
can lead to integer overflowwhere outsize is some small number
less than sizeof(*gfout)

Add a check for pathlen to be of sensical size.

Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Reviewed-on: http://review.whamcloud.com/11412
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-5476
Reviewed-by: Dmitry Eremin <dmitry.eremin@intel.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/lustre/lustre/llite/file.c

index d3874e1afba8d83613f32883ca68570b86407fab..4a33638bef256cd436d18fd632c87eb1deeb4bc0 100644 (file)
@@ -1719,6 +1719,9 @@ int ll_fid2path(struct inode *inode, void __user *arg)
        if (get_user(pathlen, &gfin->gf_pathlen))
                return -EFAULT;
 
+       if (pathlen > PATH_MAX)
+               return -EINVAL;
+
        outsize = sizeof(*gfout) + pathlen;
 
        OBD_ALLOC(gfout, outsize);