From 4d8bc239c2c30a47e8833cf23db6ccd39ff61705 Mon Sep 17 00:00:00 2001 From: Emoly Liu Date: Mon, 9 Sep 2019 16:10:29 +0800 Subject: [PATCH] LU-12602 mdt: more EA size check in mdt_getxattr_pack_reply() While the RMF_EAVALS field size can be arbitrary length, the RMF_EAVALS_LENS field definition specifies the RMF_F_STRUCT_ARRAY flag, so the passed size must be a multiple of sizeof(__u32) or the internal LBUG() will trigger. Signed-off-by: Emoly Liu Change-Id: I767e1b1496298e9a66274fc324f9c34daaed4a09 Reviewed-on: https://review.whamcloud.com/36103 Reviewed-by: Andreas Dilger Tested-by: jenkins Tested-by: Maloo Reviewed-by: Patrick Farrell --- lustre/mdt/mdt_xattr.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lustre/mdt/mdt_xattr.c b/lustre/mdt/mdt_xattr.c index 4c362a3..82d94c7 100644 --- a/lustre/mdt/mdt_xattr.c +++ b/lustre/mdt/mdt_xattr.c @@ -97,9 +97,11 @@ static int mdt_getxattr_pack_reply(struct mdt_thread_info * info) /* We could calculate accurate sizes, but this would * introduce a lot of overhead, let's do it later... */ size = info->mti_body->mbo_eadatasize; - if (size <= 0 || size > info->mti_mdt->mdt_max_ea_size) { - CERROR("%s: invalid EA size(%d) for FLXATTRALL\n", - mdt_obd_name(info->mti_mdt), size); + if (size <= 0 || size > info->mti_mdt->mdt_max_ea_size || + size & (sizeof(__u32) - 1)) { + DEBUG_REQ(D_ERROR, req, + "%s: invalid EA size(%d) for FLXATTRALL\n", + mdt_obd_name(info->mti_mdt), size); RETURN(-EINVAL); } req_capsule_set_size(pill, &RMF_EAVALS, RCL_SERVER, size); -- 1.8.3.1