Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 02a5cc53 authored by Martin Brandenburg's avatar Martin Brandenburg Committed by Mike Marshall
Browse files

orangefs: sanitize listxattr and return EIO on impossible values 



Signed-off-by: default avatarMartin Brandenburg <martin@omnibond.com>
Signed-off-by: default avatarMike Marshall <hubcap@omnibond.com>
parent 5e06664f

fs/orangefs/xattr.c

+10 −0
Original line number Diff line number Diff line
@@ -394,6 +394,7 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size) 
		gossip_err("%s: impossible value for returned_count:%d:\n",

		__func__,

		returned_count);

		ret = -EIO;

		goto done;

	}
@@ -401,6 +402,15 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size) 
	 * Check to see how much can be fit in the buffer. Fit only whole keys.

	 */

	for (i = 0; i < returned_count; i++) {

		if (new_op->downcall.resp.listxattr.lengths[i] < 0 ||

		    new_op->downcall.resp.listxattr.lengths[i] >

		    ORANGEFS_MAX_XATTR_NAMELEN) {

			gossip_err("%s: impossible value for lengths[%d]\n",

			    __func__,

			    new_op->downcall.resp.listxattr.lengths[i]);

			ret = -EIO;

			goto done;

		}

		if (total + new_op->downcall.resp.listxattr.lengths[i] > size)

			goto done;