aboutsummaryrefslogtreecommitdiffstats
path: root/fs/dlm
diff options
context:
space:
mode:
authorSasha Levin <levinsasha928@gmail.com>2012-09-09 10:16:58 -0400
committerDavid Teigland <teigland@redhat.com>2012-09-10 10:50:27 -0400
commit2b75bc9121e54e22537207b47b71373bcb0be41c (patch)
tree1b2778a163dedd71cd968b3b4e1d2049b5a86319 /fs/dlm
parent9c5bef5849c9fde1a37ac005299f759440cbaf4c (diff)
dlm: check the maximum size of a request from user
device_write only checks whether the request size is big enough, but it doesn't check if the size is too big. At that point, it also tries to allocate as much memory as the user has requested even if it's too much. This can lead to OOM killer kicking in, or memory corruption if (count + 1) overflows. Signed-off-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: David Teigland <teigland@redhat.com>
Diffstat (limited to 'fs/dlm')
-rw-r--r--fs/dlm/user.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index eb4ed9ba3098..7ff49852b0cb 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -503,6 +503,13 @@ static ssize_t device_write(struct file *file, const char __user *buf,
503#endif 503#endif
504 return -EINVAL; 504 return -EINVAL;
505 505
506#ifdef CONFIG_COMPAT
507 if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN)
508#else
509 if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
510#endif
511 return -EINVAL;
512
506 kbuf = kzalloc(count + 1, GFP_NOFS); 513 kbuf = kzalloc(count + 1, GFP_NOFS);
507 if (!kbuf) 514 if (!kbuf)
508 return -ENOMEM; 515 return -ENOMEM;