LU-5476 llite: Fix integer overflow in ll_fid2path

Reported by Dan Carpenter <dan.carpenter@oracle.com>

outsize = sizeof(*gfout) + gfin->gf_pathlen;

Where outsize is int and gf_pathlen is u32 from userspace
can lead to integer overflowwhere outsize is some small number
less than sizeof(*gfout)

Add a check for pathlen to be of sensical size.

Change-Id: I90d6ca290d115eabd9b68c7512c65f7e1fccc752
Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Reviewed-on: http://review.whamcloud.com/11412
Reviewed-by: Dmitry Eremin <dmitry.eremin@intel.com>
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>

diff --git a/lustre/llite/file.c b/lustre/llite/file.c
index dfb638a..adf68ef 100644 (file)
--- a/lustre/llite/file.c
+++ b/lustre/llite/file.c
@@ -1913,6 +1913,9 @@ int ll_fid2path(struct inode *inode, void __user *arg)
        if (get_user(pathlen, &gfin->gf_pathlen))
                RETURN(-EFAULT);
 
+       if (pathlen > PATH_MAX)
+               RETURN(-EINVAL);
+
        outsize = sizeof(*gfout) + pathlen;
        OBD_ALLOC(gfout, outsize);
        if (gfout == NULL)