1 files changed, 24 insertions, 4 deletions
diff --git a/fs/dlm/dir.c b/fs/dlm/dir.c
index ff97ba924333..85defeb64df4 100644
--- a/fs/dlm/dir.c
+++ b/fs/dlm/dir.c
@@ -220,6 +220,7 @@ int dlm_recover_directory(struct dlm_ls *ls)
                last_len = 0;
                for (;;) {
+                        int left;
                        error = dlm_recovery_stopped(ls);
                        if (error)
                                goto out_free;
@@ -235,12 +236,21 @@ int dlm_recover_directory(struct dlm_ls *ls)
                         * pick namelen/name pairs out of received buffer
                         */
-                        b = ls->ls_recover_buf + sizeof(struct dlm_rcom);
+                        b = ls->ls_recover_buf->rc_buf;
+                        left = ls->ls_recover_buf->rc_header.h_length;
+                        left -= sizeof(struct dlm_rcom);
                        for (;;) {
-                                memcpy(&namelen, b, sizeof(uint16_t));
+                                __be16 v;
-                                namelen = be16_to_cpu(namelen);
-                                b += sizeof(uint16_t);
+                                error = -EINVAL;
+                                if (left < sizeof(__be16))
+                                        goto out_free;
+                                memcpy(&v, b, sizeof(__be16));
+                                namelen = be16_to_cpu(v);
+                                b += sizeof(__be16);
+                                left -= sizeof(__be16);
                                /* namelen of 0xFFFFF marks end of names for
                                   this node; namelen of 0 marks end of the
@@ -251,6 +261,12 @@ int dlm_recover_directory(struct dlm_ls *ls)
                                if (!namelen)
                                        break;
+                                if (namelen > left)
+                                        goto out_free;
+                                if (namelen > DLM_RESNAME_MAXLEN)
+                                        goto out_free;
                                error = -ENOMEM;
                                de = get_free_de(ls, namelen);
                                if (!de)
@@ -262,6 +278,7 @@ int dlm_recover_directory(struct dlm_ls *ls)
                                memcpy(de->name, b, namelen);
                                memcpy(last_name, b, namelen);
                                b += namelen;
+                                left -= namelen;
                                add_entry_to_hash(ls, de);
                                count++;
@@ -302,6 +319,9 @@ static int get_entry(struct dlm_ls *ls, int nodeid, char *name,
        write_unlock(&ls->ls_dirtbl[bucket].lock);
+        if (namelen > DLM_RESNAME_MAXLEN)
+                return -EINVAL;
        de = kzalloc(sizeof(struct dlm_direntry) + namelen, GFP_KERNEL);
        if (!de)
                return -ENOMEM;

diff --git a/fs/dlm/dir.c b/fs/dlm/dir.c index ff97ba924333..85defeb64df4 100644 --- a/fs/dlm/dir.c +++ b/fs/dlm/dir.c
@@ -220,6 +220,7 @@ int dlm_recover_directory(struct dlm_ls *ls)
220	last_len = 0;	220	last_len = 0;
221		221
222	for (;;) {	222	for (;;) {
		223	int left;
223	error = dlm_recovery_stopped(ls);	224	error = dlm_recovery_stopped(ls);
224	if (error)	225	if (error)
225	goto out_free;	226	goto out_free;
@@ -235,12 +236,21 @@ int dlm_recover_directory(struct dlm_ls *ls)
235	* pick namelen/name pairs out of received buffer	236	* pick namelen/name pairs out of received buffer
236	*/	237	*/
237		238
238	b = ls->ls_recover_buf + sizeof(struct dlm_rcom);	239	b = ls->ls_recover_buf->rc_buf;
		240	left = ls->ls_recover_buf->rc_header.h_length;
		241	left -= sizeof(struct dlm_rcom);
239		242
240	for (;;) {	243	for (;;) {
241	memcpy(&namelen, b, sizeof(uint16_t));	244	__be16 v;
242	namelen = be16_to_cpu(namelen);	245
243	b += sizeof(uint16_t);	246	error = -EINVAL;
		247	if (left < sizeof(__be16))
		248	goto out_free;
		249
		250	memcpy(&v, b, sizeof(__be16));
		251	namelen = be16_to_cpu(v);
		252	b += sizeof(__be16);
		253	left -= sizeof(__be16);
244		254
245	/* namelen of 0xFFFFF marks end of names for	255	/* namelen of 0xFFFFF marks end of names for
246	this node; namelen of 0 marks end of the	256	this node; namelen of 0 marks end of the
@@ -251,6 +261,12 @@ int dlm_recover_directory(struct dlm_ls *ls)
251	if (!namelen)	261	if (!namelen)
252	break;	262	break;
253		263
		264	if (namelen > left)
		265	goto out_free;
		266
		267	if (namelen > DLM_RESNAME_MAXLEN)
		268	goto out_free;
		269
254	error = -ENOMEM;	270	error = -ENOMEM;
255	de = get_free_de(ls, namelen);	271	de = get_free_de(ls, namelen);
256	if (!de)	272	if (!de)
@@ -262,6 +278,7 @@ int dlm_recover_directory(struct dlm_ls *ls)
262	memcpy(de->name, b, namelen);	278	memcpy(de->name, b, namelen);
263	memcpy(last_name, b, namelen);	279	memcpy(last_name, b, namelen);
264	b += namelen;	280	b += namelen;
		281	left -= namelen;
265		282
266	add_entry_to_hash(ls, de);	283	add_entry_to_hash(ls, de);
267	count++;	284	count++;
@@ -302,6 +319,9 @@ static int get_entry(struct dlm_ls ls, int nodeid, char name,
302		319
303	write_unlock(&ls->ls_dirtbl[bucket].lock);	320	write_unlock(&ls->ls_dirtbl[bucket].lock);
304		321
		322	if (namelen > DLM_RESNAME_MAXLEN)
		323	return -EINVAL;
		324
305	de = kzalloc(sizeof(struct dlm_direntry) + namelen, GFP_KERNEL);	325	de = kzalloc(sizeof(struct dlm_direntry) + namelen, GFP_KERNEL);
306	if (!de)	326	if (!de)
307	return -ENOMEM;	327	return -ENOMEM;