From 02a5cc537dfa222583b6b6c17451a67816fce9f5 Mon Sep 17 00:00:00 2001 From: Martin Brandenburg Date: Wed, 16 Mar 2016 14:01:43 -0400 Subject: [PATCH] orangefs: sanitize listxattr and return EIO on impossible values Signed-off-by: Martin Brandenburg Signed-off-by: Mike Marshall --- fs/orangefs/xattr.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c index 75a7dde8cc5f..ef5da7538cd5 100644 --- a/fs/orangefs/xattr.c +++ b/fs/orangefs/xattr.c @@ -394,6 +394,7 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size) gossip_err("%s: impossible value for returned_count:%d:\n", __func__, returned_count); + ret = -EIO; goto done; } @@ -401,6 +402,15 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size) * Check to see how much can be fit in the buffer. Fit only whole keys. */ for (i = 0; i < returned_count; i++) { + if (new_op->downcall.resp.listxattr.lengths[i] < 0 || + new_op->downcall.resp.listxattr.lengths[i] > + ORANGEFS_MAX_XATTR_NAMELEN) { + gossip_err("%s: impossible value for lengths[%d]\n", + __func__, + new_op->downcall.resp.listxattr.lengths[i]); + ret = -EIO; + goto done; + } if (total + new_op->downcall.resp.listxattr.lengths[i] > size) goto done;