leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dlm: check the maximum size of a request from user

Browse Source 
device_write only checks whether the request size is big enough, but it doesn't
check if the size is too big.

At that point, it also tries to allocate as much memory as the user has requested
even if it's too much. This can lead to OOM killer kicking in, or memory corruption
if (count + 1) overflows.

Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: David Teigland <teigland@redhat.com>
This commit is contained in:
Sasha Levin 2012-09-09 16:16:58 +02:00 committed by David Teigland
parent 9c5bef5849
commit 2b75bc9121
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
fs/dlm/user.c
View File

@ -503,6 +503,13 @@ static ssize_t device_write(struct file *file, const char __user *buf,
#endif
return -EINVAL;
#ifdef CONFIG_COMPAT
if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN)
#else
if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
#endif
return -EINVAL;
kbuf = kzalloc(count + 1, GFP_NOFS);
if (!kbuf)
return -ENOMEM;