staging: lustre: validate size in ll_setxattr()

If size is smaller than the lov_user_md struct then we are reading beyond the end of the buffer. I guess this is an information leak or it could cause an Oops if the memory is not mapped. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Dan Carpenter <dan.carpenter@oracle.com> 2014-10-22 17:23:07 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-10-29 16:33:11 +0800
commit: 87ebccf97f54fe20c0a8a86e21164473cc7d57e1 (patch)
tree: 97c1af9d5e16a20c95479d6e48f9a301768f7f68 /drivers/staging/lustre
parent: 85bcfab46955e6f4bcfd08ffb989f941e003da2a (diff)
download: op-kernel-dev-87ebccf97f54fe20c0a8a86e21164473cc7d57e1.zip
op-kernel-dev-87ebccf97f54fe20c0a8a86e21164473cc7d57e1.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/staging/lustre/lustre/llite/xattr.c b/drivers/staging/lustre/lustre/llite/xattr.c
index 252a619..3ad9796 100644
--- a/drivers/staging/lustre/lustre/llite/xattr.c
+++ b/drivers/staging/lustre/lustre/llite/xattr.c
@@ -234,6 +234,9 @@ int ll_setxattr(struct dentry *dentry, const char *name,
 		struct lov_user_md *lump = (struct lov_user_md *)value;
 		int rc = 0;
 
+		if (size != 0 && size < sizeof(struct lov_user_md))
+			return -EINVAL;
+
 		/* Attributes that are saved via getxattr will always have
 		 * the stripe_offset as 0.  Instead, the MDS should be
 		 * allowed to pick the starting OST index.   b=17846 */
author	Dan Carpenter <dan.carpenter@oracle.com>	2014-10-22 17:23:07 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2014-10-29 16:33:11 +0800
commit	87ebccf97f54fe20c0a8a86e21164473cc7d57e1 (patch)
tree	97c1af9d5e16a20c95479d6e48f9a301768f7f68 /drivers/staging/lustre
parent	85bcfab46955e6f4bcfd08ffb989f941e003da2a (diff)
download	op-kernel-dev-87ebccf97f54fe20c0a8a86e21164473cc7d57e1.zip op-kernel-dev-87ebccf97f54fe20c0a8a86e21164473cc7d57e1.tar.gz