public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] dlm: check the maximum size of a request from user
@ 2012-09-09 14:16 Sasha Levin
  2012-09-10 15:43 ` David Teigland
  0 siblings, 1 reply; 2+ messages in thread
From: Sasha Levin @ 2012-09-09 14:16 UTC (permalink / raw)
  To: ccaulfie, teigland; +Cc: cluster-devel, linux-kernel, davej, Sasha Levin

device_write only checks whether the request size is big enough, but it doesn't
check if the size is too big.

At that point, it also tries to allocate as much memory as the user has requested
even if it's too much. This can lead to OOM killer kicking in, or memory corruption
if (count + 1) overflows.

Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
---
 fs/dlm/user.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index eb4ed9b..7ff4985 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -503,6 +503,13 @@ static ssize_t device_write(struct file *file, const char __user *buf,
 #endif
 		return -EINVAL;
 
+#ifdef CONFIG_COMPAT
+	if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN)
+#else
+	if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
+#endif
+		return -EINVAL;
+
 	kbuf = kzalloc(count + 1, GFP_NOFS);
 	if (!kbuf)
 		return -ENOMEM;
-- 
1.7.12


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-09-10 15:43 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-09 14:16 [PATCH] dlm: check the maximum size of a request from user Sasha Levin
2012-09-10 15:43 ` David Teigland

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox