From: Oleg Drokin <oleg.drokin@intel.com>
Date: Tue, 12 Aug 2014 13:20:14 +0000 (-0400)
Subject: LU-5476 llite: Fix integer overflow in ll_fid2path
X-Git-Tag: 2.6.51~5
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=d01834323af7a14d2d4959d9bea58073e3bb16ea;p=fs%2Flustre-release.git

LU-5476 llite: Fix integer overflow in ll_fid2path

Reported by Dan Carpenter <dan.carpenter@oracle.com>

outsize = sizeof(*gfout) + gfin->gf_pathlen;

Where outsize is int and gf_pathlen is u32 from userspace
can lead to integer overflowwhere outsize is some small number
less than sizeof(*gfout)

Add a check for pathlen to be of sensical size.

Change-Id: I90d6ca290d115eabd9b68c7512c65f7e1fccc752
Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Reviewed-on: http://review.whamcloud.com/11412
Reviewed-by: Dmitry Eremin <dmitry.eremin@intel.com>
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
---

diff --git a/lustre/llite/file.c b/lustre/llite/file.c
index dfb638a..adf68ef 100644
--- a/lustre/llite/file.c
+++ b/lustre/llite/file.c
@@ -1913,6 +1913,9 @@ int ll_fid2path(struct inode *inode, void __user *arg)
 	if (get_user(pathlen, &gfin->gf_pathlen))
 		RETURN(-EFAULT);
 
+	if (pathlen > PATH_MAX)
+		RETURN(-EINVAL);
+
 	outsize = sizeof(*gfout) + pathlen;
 	OBD_ALLOC(gfout, outsize);
 	if (gfout == NULL)