Reported by Dan Carpenter <dan.carpen...@oracle.com> outsize = sizeof(*gfout) + gfin->gf_pathlen;
Where outsize is int and gf_pathlen is u32 from userspace can lead to integer overflowwhere outsize is some small number less than sizeof(*gfout) Add a check for pathlen to be of sensical size. Signed-off-by: Oleg Drokin <oleg.dro...@intel.com> Reviewed-on: http://review.whamcloud.com/11412 Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-5476 Reviewed-by: Dmitry Eremin <dmitry.ere...@intel.com> Reviewed-by: John L. Hammond <john.hamm...@intel.com> --- drivers/staging/lustre/lustre/llite/file.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/staging/lustre/lustre/llite/file.c b/drivers/staging/lustre/lustre/llite/file.c index d3874e1..4a33638 100644 --- a/drivers/staging/lustre/lustre/llite/file.c +++ b/drivers/staging/lustre/lustre/llite/file.c @@ -1719,6 +1719,9 @@ int ll_fid2path(struct inode *inode, void __user *arg) if (get_user(pathlen, &gfin->gf_pathlen)) return -EFAULT; + if (pathlen > PATH_MAX) + return -EINVAL; + outsize = sizeof(*gfout) + pathlen; OBD_ALLOC(gfout, outsize); -- 1.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/