LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 10/16] dlm: make find_rsb() fail gracefully when namelen is too large
@ 2008-02-07  6:09 David Teigland
  0 siblings, 0 replies; only message in thread
From: David Teigland @ 2008-02-07  6:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Al Viro

From: Al Viro <viro@zeniv.linux.org.uk>

We *can* get there from receive_request() and dlm_recover_master_copy()
with namelen too large if incoming request is invalid; BUG() from
DLM_ASSERT() in allocate_rsb() is a bit excessive reaction to that
and in case of dlm_recover_master_copy() we would actually oops before
that while calculating hash of up to 64Kb worth of data - with data
actually being 64 _bytes_ in kmalloc()'ed struct.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Teigland <teigland@redhat.com>
---
 fs/dlm/lock.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
index 0593dd8..6d98cf9 100644
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -436,11 +436,15 @@ static int find_rsb(struct dlm_ls *ls, char *name, int namelen,
 {
 	struct dlm_rsb *r, *tmp;
 	uint32_t hash, bucket;
-	int error = 0;
+	int error = -EINVAL;
+
+	if (namelen > DLM_RESNAME_MAXLEN)
+		goto out;
 
 	if (dlm_no_directory(ls))
 		flags |= R_CREATE;
 
+	error = 0;
 	hash = jhash(name, namelen, 0);
 	bucket = hash & (ls->ls_rsbtbl_size - 1);
 
-- 
1.5.3.3


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2008-02-07  6:22 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-07  6:09 [PATCH 10/16] dlm: make find_rsb() fail gracefully when namelen is too large David Teigland

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).