dlm: check the write size from user

Return EINVAL from write if the size is larger than allowed. Do this before allocating kernel memory for the bogus size, which could lead to OOM. Reported-by: Sasha Levin <levinsasha928@gmail.com> Tested-by: Jana Saout <jana@saout.de> Signed-off-by: David Teigland <teigland@redhat.com>

dlm: check the write size from user
Return EINVAL from write if the size is larger than allowed. Do this before allocating kernel memory for the bogus size, which could lead to OOM. Reported-by: Sasha Levin <levinsasha928@gmail.com> Tested-by: Jana Saout <jana@saout.de> Signed-off-by: David Teigland <teigland@redhat.com>
David Teigland
1 parent 6edacf05c8
Showing 1 changed file with 4 additions and 4 deletions Side-by-side Diff
fs/dlm/user.c
@@ -503,11 +503,11 @@
 #endif
 		return -EINVAL;
  
-#ifdef CONFIG_COMPAT
-	if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN)
-#else
+	/*
+	 * can't compare against COMPAT/dlm_write_request32 because
+	 * we don't yet know if is64bit is zero
+	 */
 	if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
-#endif
 		return -EINVAL;
  
 	kbuf = kzalloc(count + 1, GFP_NOFS);
...	...	@@ -503,11 +503,11 @@
503	503	#endif
504	504	return -EINVAL;
505	505
506		-#ifdef CONFIG_COMPAT
507		- if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN)
508		-#else
	506	+ /*
	507	+ * can't compare against COMPAT/dlm_write_request32 because
	508	+ * we don't yet know if is64bit is zero
	509	+ */
509	510	if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
510		-#endif
511	511	return -EINVAL;
512	512
513	513	kbuf = kzalloc(count + 1, GFP_NOFS);