[PATCH 1/2] ocfs2/dlm: validate qr_numregions in dlm_match_regions()

Next message: Charan Pedumuru: "[PATCH] dt-bindings: usb: st,st-ehci-300x: convert to DT schema"
Previous message: Liu Dalin: "[PATCH] checkpatch: Ignore attribute macros ending with nGnRnE or nGnRE"
In reply to: Junrui Luo: "[PATCH 0/2] ocfs2/dlm: fix two bugs in dlm_match_regions()"
Next in thread: Junrui Luo: "[PATCH 2/2] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Sat Mar 07 2026 - 02:31:24 EST

The qr_numregions field from a DLM_QUERY_REGION network message is used
directly as loop bounds in dlm_match_regions() without checking against
O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS
(32) entries, a crafted message with qr_numregions > 32 causes
out-of-bounds reads past the qr_regions buffer.

Add a bounds check for qr_numregions before entering the loops.

Fixes: ea2034416b54 ("ocfs2/dlm: Add message DLM_QUERY_REGION")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
fs/ocfs2/dlm/dlmdomain.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c
index 70ca79e4bdc3..0a28cb5ded2a 100644
--- a/fs/ocfs2/dlm/dlmdomain.c
+++ b/fs/ocfs2/dlm/dlmdomain.c
@@ -980,6 +980,14 @@ static int dlm_match_regions(struct dlm_ctxt *dlm,
goto bail;
}

+ if (qr->qr_numregions > O2NM_MAX_REGIONS) {
+ mlog(ML_ERROR, "Domain %s: Joining node %d has invalid "
+ "number of heartbeat regions %u\n",
+ qr->qr_domain, qr->qr_node, qr->qr_numregions);
+ status = -EINVAL;
+ goto bail;
+ }
+
r = remote;
for (i = 0; i < qr->qr_numregions; ++i) {
mlog(0, "Region %.*s\n", O2HB_MAX_REGION_NAME_LEN, r);

--
2.52.0