orangefs: sanitize listxattr and return EIO on impossible values

Signed-off-by: Martin Brandenburg <martin@omnibond.com> Signed-off-by: Mike Marshall <hubcap@omnibond.com>
author: Martin Brandenburg <martin@omnibond.com> 2016-03-16 14:01:43 -0400
committer: Mike Marshall <hubcap@omnibond.com> 2016-03-17 14:33:47 -0400
commit: 02a5cc537dfa222583b6b6c17451a67816fce9f5 (patch)
tree: 56e4fc6a8a908348bcf35c767915fd9e886ca1c8
parent: 5e06664f29c92c8e6b007cdec1f3abf197bc1961 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c
index 75a7dde8cc5f..ef5da7538cd5 100644
--- a/fs/orangefs/xattr.c
+++ b/fs/orangefs/xattr.c
@@ -394,6 +394,7 @@ try_again:
                gossip_err("%s: impossible value for returned_count:%d:\n",
                __func__,
                returned_count);
+                ret = -EIO;
                goto done;
        }
@@ -401,6 +402,15 @@ try_again:
         * Check to see how much can be fit in the buffer. Fit only whole keys.
         */
        for (i = 0; i < returned_count; i++) {
+                if (new_op->downcall.resp.listxattr.lengths[i] < 0 ||
+                    new_op->downcall.resp.listxattr.lengths[i] >
+                    ORANGEFS_MAX_XATTR_NAMELEN) {
+                        gossip_err("%s: impossible value for lengths[%d]\n",
+                            __func__,
+                            new_op->downcall.resp.listxattr.lengths[i]);
+                        ret = -EIO;
+                        goto done;
+                }
                if (total + new_op->downcall.resp.listxattr.lengths[i] > size)
                        goto done;
author	Martin Brandenburg <martin@omnibond.com>	2016-03-16 14:01:43 -0400
committer	Mike Marshall <hubcap@omnibond.com>	2016-03-17 14:33:47 -0400
commit	02a5cc537dfa222583b6b6c17451a67816fce9f5 (patch)
tree	56e4fc6a8a908348bcf35c767915fd9e886ca1c8
parent	5e06664f29c92c8e6b007cdec1f3abf197bc1961 (diff)