From 2b75bc9121e54e22537207b47b71373bcb0be41c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 9 Sep 2012 16:16:58 +0200 Subject: dlm: check the maximum size of a request from user device_write only checks whether the request size is big enough, but it doesn't check if the size is too big. At that point, it also tries to allocate as much memory as the user has requested even if it's too much. This can lead to OOM killer kicking in, or memory corruption if (count + 1) overflows. Signed-off-by: Sasha Levin Signed-off-by: David Teigland --- fs/dlm/user.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'fs/dlm/user.c') diff --git a/fs/dlm/user.c b/fs/dlm/user.c index eb4ed9ba309..7ff49852b0c 100644 --- a/fs/dlm/user.c +++ b/fs/dlm/user.c @@ -503,6 +503,13 @@ static ssize_t device_write(struct file *file, const char __user *buf, #endif return -EINVAL; +#ifdef CONFIG_COMPAT + if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN) +#else + if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN) +#endif + return -EINVAL; + kbuf = kzalloc(count + 1, GFP_NOFS); if (!kbuf) return -ENOMEM; -- cgit v1.2.3