dlm: check the write size from user

teigland · teigland · commit d4b0bcf32b94 · 2013-02-04T15:31:22.000-06:00
Return EINVAL from write if the size is larger than
allowed.  Do this before allocating kernel memory for
the bogus size, which could lead to OOM.

Reported-by: Sasha Levin &lt;levinsasha928@gmail.com&gt;
Tested-by: Jana Saout &lt;jana@saout.de&gt;
Signed-off-by: David Teigland &lt;teigland@redhat.com&gt;
diff --git a/fs/dlm/user.c b/fs/dlm/user.c
@@ -503,11 +503,11 @@ static ssize_t device_write(struct file *file, const char __user *buf,
 #endif
 		return -EINVAL;
 
-#ifdef CONFIG_COMPAT
-	if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN)
-#else
+	/*
+	 * can't compare against COMPAT/dlm_write_request32 because
+	 * we don't yet know if is64bit is zero
+	 */
 	if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
-#endif
 		return -EINVAL;
 
 	kbuf = kzalloc(count + 1, GFP_NOFS);
