dlm: dlm_process_incoming_buffer() fixes

* check that length is large enough to cover the non-variable part of message or
  rcom resp. (after checking that it's large enough to cover the header, of
  course).

* kill more pointless casts

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Teigland <teigland@redhat.com>

1 files changed, 20 insertions, 13 deletions

diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c
index e69926e984db..07ac709f3ed7 100644
--- a/fs/dlm/midcomms.c
+++ b/fs/dlm/midcomms.c
@@ -61,9 +61,9 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
         union {
                 unsigned char __buf[DLM_INBUF_LEN];
                 /* this is to force proper alignment on some arches */
-                struct dlm_header dlm;
+                union dlm_packet p;
         } __tmp;
-        struct dlm_header *msg = &__tmp.dlm;
+        union dlm_packet *p = &__tmp.p;
         int ret = 0;
         int err = 0;
         uint16_t msglen;
@@ -75,15 +75,22 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
                    message may wrap around the end of the buffer back to the
                    start, so we need to use a temp buffer and copy_from_cb. */
 
-                copy_from_cb(msg, base, offset, sizeof(struct dlm_header),
+                copy_from_cb(p, base, offset, sizeof(struct dlm_header),
                              limit);
 
-                msglen = le16_to_cpu(msg->h_length);
-                lockspace = msg->h_lockspace;
+                msglen = le16_to_cpu(p->header.h_length);
+                lockspace = p->header.h_lockspace;
 
                 err = -EINVAL;
                 if (msglen < sizeof(struct dlm_header))
                         break;
+                if (p->header.h_cmd == DLM_MSG) {
+                        if (msglen < sizeof(struct dlm_message))
+                                break;
+                } else {
+                        if (msglen < sizeof(struct dlm_rcom))
+                                break;
+                }
                 err = -E2BIG;
                 if (msglen > dlm_config.ci_buffer_size) {
                         log_print("message size %d from %d too big, buf len %d",
@@ -104,26 +111,26 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
                    in the buffer on the stack (which should work for most
                    ordinary messages). */
 
-                if (msglen > DLM_INBUF_LEN && msg == &__tmp.dlm) {
-                        msg = kmalloc(dlm_config.ci_buffer_size, GFP_KERNEL);
-                        if (msg == NULL)
+                if (msglen > sizeof(__tmp) && p == &__tmp.p) {
+                        p = kmalloc(dlm_config.ci_buffer_size, GFP_KERNEL);
+                        if (p == NULL)
                                 return ret;
                 }
 
-                copy_from_cb(msg, base, offset, msglen, limit);
+                copy_from_cb(p, base, offset, msglen, limit);
 
-                BUG_ON(lockspace != msg->h_lockspace);
+                BUG_ON(lockspace != p->header.h_lockspace);
 
                 ret += msglen;
                 offset += msglen;
                 offset &= (limit - 1);
                 len -= msglen;
 
-                dlm_receive_buffer(msg, nodeid);
+                dlm_receive_buffer(p, nodeid);
         }
 
-        if (msg != &__tmp.dlm)
-                kfree(msg);
+        if (p != &__tmp.p)
+                kfree(p);
 
         return err ? err : ret;
 }