dlm: check the maximum size of a request from user

device_write only checks whether the request size is big enough, but it doesn't check if the size is too big. At that point, it also tries to allocate as much memory as the user has requested even if it's too much. This can lead to OOM killer kicking in, or memory corruption if (count + 1) overflows. Signed-off-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: David Teigland <teigland@redhat.com>
author: Sasha Levin <levinsasha928@gmail.com> 2012-09-09 16:16:58 +0200
committer: David Teigland <teigland@redhat.com> 2012-09-10 09:50:27 -0500
commit: 2b75bc9121e54e22537207b47b71373bcb0be41c (patch)
tree: 1b2778a163dedd71cd968b3b4e1d2049b5a86319 /fs/dlm
parent: 9c5bef5849c9fde1a37ac005299f759440cbaf4c (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index eb4ed9ba309..7ff49852b0c 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -503,6 +503,13 @@ static ssize_t device_write(struct file *file, const char __user *buf,
 #endif
 		return -EINVAL;
 
+#ifdef CONFIG_COMPAT
+	if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN)
+#else
+	if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
+#endif
+		return -EINVAL;
+
 	kbuf = kzalloc(count + 1, GFP_NOFS);
 	if (!kbuf)
 		return -ENOMEM;
author	Sasha Levin <levinsasha928@gmail.com>	2012-09-09 16:16:58 +0200
committer	David Teigland <teigland@redhat.com>	2012-09-10 09:50:27 -0500
commit	2b75bc9121e54e22537207b47b71373bcb0be41c (patch)
tree	1b2778a163dedd71cd968b3b4e1d2049b5a86319 /fs/dlm
parent	9c5bef5849c9fde1a37ac005299f759440cbaf4c (diff)