From d70c45a124aa2580115111aa8a77648f073dc799 Mon Sep 17 00:00:00 2001
From: Emoly Liu <emoly@whamcloud.com>
Date: Fri, 9 Aug 2019 15:29:30 +0800
Subject: [PATCH] LU-12605 tgt: check client data size in
 target_handle_connect()

Check client data size (negtive or excessively large) in case of
memcpy corruption.

Lustre-change: https://review.whamcloud.com/35711
Lustre-commit: 149f005a3199eee13fe6396671613a0f620ee0cc

Change-Id: Ided26dea0e2bbb79e607c626810834ca947497d4
Reported-by: Alibaba Cloud <yunye.ry@alibaba-inc.com>
Signed-off-by: Emoly Liu <emoly@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Patrick Farrell <pfarrell@whamcloud.com>
Signed-off-by: Minh Diep <mdiep@whamcloud.com>
Reviewed-on: https://review.whamcloud.com/35935
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
---
 lustre/ldlm/ldlm_lib.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/lustre/ldlm/ldlm_lib.c b/lustre/ldlm/ldlm_lib.c
index 1c7eac3..1780cf7 100644
--- a/lustre/ldlm/ldlm_lib.c
+++ b/lustre/ldlm/ldlm_lib.c
@@ -1030,11 +1030,13 @@ int target_handle_connect(struct ptlrpc_request *req)
 
         conn = *tmp;
 
-        size = req_capsule_get_size(&req->rq_pill, &RMF_CONNECT_DATA,
-                                    RCL_CLIENT);
-        data = req_capsule_client_get(&req->rq_pill, &RMF_CONNECT_DATA);
-        if (!data)
-                GOTO(out, rc = -EPROTO);
+	size = req_capsule_get_size(&req->rq_pill, &RMF_CONNECT_DATA,
+				    RCL_CLIENT);
+	if (size < 0 || size > 8 * sizeof(struct obd_connect_data))
+		GOTO(out, rc = -EPROTO);
+	data = req_capsule_client_get(&req->rq_pill, &RMF_CONNECT_DATA);
+	if (!data)
+		GOTO(out, rc = -EPROTO);
 
         rc = req_capsule_server_pack(&req->rq_pill);
         if (rc)
-- 
1.8.3.1