From d01834323af7a14d2d4959d9bea58073e3bb16ea Mon Sep 17 00:00:00 2001
From: Oleg Drokin <oleg.drokin@intel.com>
Date: Tue, 12 Aug 2014 09:20:14 -0400
Subject: [PATCH] LU-5476 llite: Fix integer overflow in ll_fid2path

Reported by Dan Carpenter <dan.carpenter@oracle.com>

outsize = sizeof(*gfout) + gfin->gf_pathlen;

Where outsize is int and gf_pathlen is u32 from userspace
can lead to integer overflowwhere outsize is some small number
less than sizeof(*gfout)

Add a check for pathlen to be of sensical size.

Change-Id: I90d6ca290d115eabd9b68c7512c65f7e1fccc752
Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Reviewed-on: http://review.whamcloud.com/11412
Reviewed-by: Dmitry Eremin <dmitry.eremin@intel.com>
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
---
 lustre/llite/file.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lustre/llite/file.c b/lustre/llite/file.c
index dfb638a..adf68ef 100644
--- a/lustre/llite/file.c
+++ b/lustre/llite/file.c
@@ -1913,6 +1913,9 @@ int ll_fid2path(struct inode *inode, void __user *arg)
 	if (get_user(pathlen, &gfin->gf_pathlen))
 		RETURN(-EFAULT);
 
+	if (pathlen > PATH_MAX)
+		RETURN(-EINVAL);
+
 	outsize = sizeof(*gfout) + pathlen;
 	OBD_ALLOC(gfout, outsize);
 	if (gfout == NULL)
-- 
1.8.3.1