Re: [PATCH 0/2] ocfs2/dlm: fix two bugs in dlm_match_regions()

[Wengang Wang]

The two patches looks good to me.

Reviewed-by: Wengang Wang <wen.gang.wang@xxxxxxxxxx <mailto:wen.gang.wang@xxxxxxxxxx>>

Just unrelated to these patches, looking at function o2hb_get_all_regions,

2519 int o2hb_get_all_regions(char *region_uuids, u8 max_regions)
2520 {
2521         struct o2hb_region *reg;
2522         int numregs = 0;
2523         char *p;
2524
2525         spin_lock(&o2hb_live_lock);
2526
2527         p = region_uuids;
2528         list_for_each_entry(reg, &o2hb_all_regions, hr_all_item) {
2529                 if (reg->hr_item_dropped)
2530                         continue;
2531
2532                 mlog(0, "Region: %s\n", config_item_name(&reg->hr_item));
2533                 if (numregs < max_regions) {
2534                         memcpy(p, config_item_name(&reg->hr_item),
2535                                O2HB_MAX_REGION_NAME_LEN);
2536                         p += O2HB_MAX_REGION_NAME_LEN;
2537                 }
2538                 numregs++;
2539         }
2540
2541         spin_unlock(&o2hb_live_lock);
2542
2543         return numregs;
2544 }

It seems that ‘numregs’ can mismatch with ‘region_uuids' (line 2538 VS line 2534) due to the limitation of ‘max_regions’
though calling o2hb_get_all_regions() with max_regions being O2NM_MAX_REGIONS looks good.

Thanks,
Wengang


> On Mar 6, 2026, at 11:22 PM, Junrui Luo <moonafterrain@xxxxxxxxxxx> wrote:
> 
> In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
> network message is used to drive loops over the qr_regions buffer without
> sufficient validation. This series fixes two issues:
> 
> - Patch 1 adds a bounds check to reject messages where qr_numregions
>  exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
>  byte length; it does not constrain field values, so a crafted message
>  can set qr_numregions up to 255 and trigger out-of-bounds reads past
>  the 1024-byte qr_regions buffer.
> 
> - Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
>  which uses '<=' instead of '<', reading one entry past the valid range
>  even when qr_numregions is within bounds.
> 
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> ---
> Junrui Luo (2):
>      ocfs2/dlm: validate qr_numregions in dlm_match_regions()
>      ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
> 
> fs/ocfs2/dlm/dlmdomain.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
> ---
> base-commit: 0031c06807cfa8aa51a759ff8aa09e1aa48149af
> change-id: 20260307-fixes-9d8b95012a49
> 
> Best regards,
> -- 
> Junrui Luo <moonafterrain@xxxxxxxxxxx>
> 
>