[PATCH 0/2] ocfs2/dlm: fix two bugs in dlm_match_regions()

Next message: Yeoreum Yun: "Re: [bpf-next v6 2/5] bpf: Pass bpf_verifier_env to jit"
Previous message: Giorgi Tchankvetadze: "Re: [PATCH] iio: adc: max1363: Fix leading space indentation"
Next in thread: Junrui Luo: "[PATCH 1/2] ocfs2/dlm: validate qr_numregions in dlm_match_regions()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Sat Mar 07 2026 - 02:23:44 EST

In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
network message is used to drive loops over the qr_regions buffer without
sufficient validation. This series fixes two issues:

- Patch 1 adds a bounds check to reject messages where qr_numregions
exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
byte length; it does not constrain field values, so a crafted message
can set qr_numregions up to 255 and trigger out-of-bounds reads past
the 1024-byte qr_regions buffer.

- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
which uses '<=' instead of '<', reading one entry past the valid range
even when qr_numregions is within bounds.

Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
Junrui Luo (2):
ocfs2/dlm: validate qr_numregions in dlm_match_regions()
ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison

fs/ocfs2/dlm/dlmdomain.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
---
base-commit: 0031c06807cfa8aa51a759ff8aa09e1aa48149af
change-id: 20260307-fixes-9d8b95012a49

Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>