[PATCH] ocfs2/dlm: validate message payload length in query handlers

[Junrui Luo]

dlm_query_region_handler() and dlm_query_nodeinfo_handler() cast
msg->buf to their respective structure pointers without validating
that the received message length is sufficient. The o2net transport
layer only enforces a maximum payload length, not a minimum, so a
truncated message passes the network check and reaches the handler.

This causes out-of-bounds reads from the receive page buffer when
accessing structure fields beyond the actual payload, leading to
operations on stale or uninitialized data.

Fix by validating that len covers the full expected structure size
before accessing any payload fields.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: ea2034416b54 ("ocfs2/dlm: Add message DLM_QUERY_REGION")
Fixes: 18cfdf1b1a8e ("ocfs2/dlm: Add message DLM_QUERY_NODEINFO")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
 fs/ocfs2/dlm/dlmdomain.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c
index 70ca79e4bdc3..07aef9ae8cbe 100644
--- a/fs/ocfs2/dlm/dlmdomain.c
+++ b/fs/ocfs2/dlm/dlmdomain.c
@@ -1100,6 +1100,9 @@ static int dlm_query_region_handler(struct o2net_msg *msg, u32 len,
 	char *local = NULL;
 	int status = 0;
 
+	if (len < sizeof(struct o2net_msg) + sizeof(struct dlm_query_region))
+		return -EINVAL;
+
 	qr = (struct dlm_query_region *) msg->buf;
 
 	mlog(0, "Node %u queries hb regions on domain %s\n", qr->qr_node,
@@ -1276,6 +1279,9 @@ static int dlm_query_nodeinfo_handler(struct o2net_msg *msg, u32 len,
 	struct dlm_ctxt *dlm = NULL;
 	int status = -EINVAL;
 
+	if (len < sizeof(struct o2net_msg) + sizeof(struct dlm_query_nodeinfo))
+		return -EINVAL;
+
 	qn = (struct dlm_query_nodeinfo *) msg->buf;
 
 	mlog(0, "Node %u queries nodes on domain %s\n", qn->qn_nodenum,

---
base-commit: 1f318b96cc84d7c2ab792fcc0bfd42a7ca890681
change-id: 20260312-fixes-c80f56fb6069

Best regards,
-- 
Junrui Luo <moonafterrain@xxxxxxxxxxx>