Re: [PATCH 0/2] ocfs2/dlm: fix two bugs in dlm_match_regions()

[Wengang Wang]

Sorry, my email client added more to the "Reviewed-by” part, correcting it as (hope the correction looks good). 

Reviewed-by: Wengang Wang <wen.gang.wang@xxxxxxxxxx>

Thanks,
Wengang

> On Mar 7, 2026, at 8:06 AM, Wengang Wang <wen.gang.wang@xxxxxxxxxx> wrote:
> 
> The two patches looks good to me.
> 
> Reviewed-by: Wengang Wang <wen.gang.wang@xxxxxxxxxx <mailto:wen.gang.wang@xxxxxxxxxx>>
> 
> Just unrelated to these patches, looking at function o2hb_get_all_regions,
> 
> 2519 int o2hb_get_all_regions(char *region_uuids, u8 max_regions)
> 2520 {
> 2521         struct o2hb_region *reg;
> 2522         int numregs = 0;
> 2523         char *p;
> 2524
> 2525         spin_lock(&o2hb_live_lock);
> 2526
> 2527         p = region_uuids;
> 2528         list_for_each_entry(reg, &o2hb_all_regions, hr_all_item) {
> 2529                 if (reg->hr_item_dropped)
> 2530                         continue;
> 2531
> 2532                 mlog(0, "Region: %s\n", config_item_name(&reg->hr_item));
> 2533                 if (numregs < max_regions) {
> 2534                         memcpy(p, config_item_name(&reg->hr_item),
> 2535                                O2HB_MAX_REGION_NAME_LEN);
> 2536                         p += O2HB_MAX_REGION_NAME_LEN;
> 2537                 }
> 2538                 numregs++;
> 2539         }
> 2540
> 2541         spin_unlock(&o2hb_live_lock);
> 2542
> 2543         return numregs;
> 2544 }
> 
> It seems that ‘numregs’ can mismatch with ‘region_uuids' (line 2538 VS line 2534) due to the limitation of ‘max_regions’
> though calling o2hb_get_all_regions() with max_regions being O2NM_MAX_REGIONS looks good.
> 
> Thanks,
> Wengang
> 
> 
>> On Mar 6, 2026, at 11:22 PM, Junrui Luo <moonafterrain@xxxxxxxxxxx> wrote:
>> 
>> In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
>> network message is used to drive loops over the qr_regions buffer without
>> sufficient validation. This series fixes two issues:
>> 
>> - Patch 1 adds a bounds check to reject messages where qr_numregions
>> exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
>> byte length; it does not constrain field values, so a crafted message
>> can set qr_numregions up to 255 and trigger out-of-bounds reads past
>> the 1024-byte qr_regions buffer.
>> 
>> - Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
>> which uses '<=' instead of '<', reading one entry past the valid range
>> even when qr_numregions is within bounds.
>> 
>> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
>> ---
>> Junrui Luo (2):
>>     ocfs2/dlm: validate qr_numregions in dlm_match_regions()
>>     ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
>> 
>> fs/ocfs2/dlm/dlmdomain.c | 10 +++++++++-
>> 1 file changed, 9 insertions(+), 1 deletion(-)
>> ---
>> base-commit: 0031c06807cfa8aa51a759ff8aa09e1aa48149af
>> change-id: 20260307-fixes-9d8b95012a49
>> 
>> Best regards,
>> -- 
>> Junrui Luo <moonafterrain@xxxxxxxxxxx>
>> 
>> 
>