Commit ef58bcca authored Jan 25, 2008 by Al Viro Committed by David Teigland Feb 04, 2008

dlm: make find_rsb() fail gracefully when namelen is too large



We *can* get there from receive_request() and dlm_recover_master_copy()
with namelen too large if incoming request is invalid; BUG() from
DLM_ASSERT() in allocate_rsb() is a bit excessive reaction to that
and in case of dlm_recover_master_copy() we would actually oops before
that while calculating hash of up to 64Kb worth of data - with data
actually being 64 _bytes_ in kmalloc()'ed struct.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Teigland <teigland@redhat.com>

parent a5dd0631

fs/dlm/lock.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -436,11 +436,15 @@ static int find_rsb(struct dlm_ls ls, char name, int namelen,
		{
		struct dlm_rsb r, tmp;
		uint32_t hash, bucket;
		int error = 0;
		int error = -EINVAL;

		if (namelen > DLM_RESNAME_MAXLEN)
		goto out;

		if (dlm_no_directory(ls))
		flags \|= R_CREATE;

		error = 0;
		hash = jhash(name, namelen, 0);
		bucket = hash & (ls->ls_rsbtbl_size - 1);