Commit 2b75bc91 authored Sep 09, 2012 by Sasha Levin Committed by David Teigland Sep 10, 2012

dlm: check the maximum size of a request from user



device_write only checks whether the request size is big enough, but it doesn't
check if the size is too big.

At that point, it also tries to allocate as much memory as the user has requested
even if it's too much. This can lead to OOM killer kicking in, or memory corruption
if (count + 1) overflows.

Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: David Teigland <teigland@redhat.com>

parent 9c5bef58

fs/dlm/user.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -503,6 +503,13 @@ static ssize_t device_write(struct file file, const char __user buf,
		#endif
		return -EINVAL;

		#ifdef CONFIG_COMPAT
		if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN)
		#else
		if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
		#endif
		return -EINVAL;

		kbuf = kzalloc(count + 1, GFP_NOFS);
		if (!kbuf)
		return -ENOMEM;