[PATCH 06/16] dlm: missing length check in check_config()
From: David Teigland
Date: Thu Feb 07 2008 - 01:20:22 EST
From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Signed-off-by: David Teigland <teigland@xxxxxxxxxx>
---
fs/dlm/rcom.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/fs/dlm/rcom.c b/fs/dlm/rcom.c
index 3f9b96f..a312f1d 100644
--- a/fs/dlm/rcom.c
+++ b/fs/dlm/rcom.c
@@ -85,6 +85,7 @@ static void make_config(struct dlm_ls *ls, struct rcom_config *rf)
static int check_config(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid)
{
struct rcom_config *rf = (struct rcom_config *) rc->rc_buf;
+ size_t conf_size = sizeof(struct dlm_rcom) + sizeof(struct rcom_config);
if ((rc->rc_header.h_version & 0xFFFF0000) != DLM_HEADER_MAJOR) {
log_error(ls, "version mismatch: %x nodeid %d: %x",
@@ -93,6 +94,12 @@ static int check_config(struct dlm_ls *ls, struct dlm_rcom *rc, int nodeid)
return -EPROTO;
}
+ if (rc->rc_header.h_length < conf_size) {
+ log_error(ls, "config too short: %d nodeid %d",
+ rc->rc_header.h_length, nodeid);
+ return -EPROTO;
+ }
+
if (le32_to_cpu(rf->rf_lvblen) != ls->ls_lvblen ||
le32_to_cpu(rf->rf_lsflags) != ls->ls_exflags) {
log_error(ls, "config mismatch: %d,%x nodeid %d: %d,%x",
--
1.5.3.3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/