orangefs: sanitize listxattr and return EIO on impossible values

author Martin Brandenburg <martin@omnibond.com>

Wed, 16 Mar 2016 18:01:43 +0000 (14:01 -0400)

committer Mike Marshall <hubcap@omnibond.com>

Thu, 17 Mar 2016 18:33:47 +0000 (14:33 -0400)
author Martin Brandenburg <martin@omnibond.com>
Wed, 16 Mar 2016 18:01:43 +0000 (14:01 -0400)
committer Mike Marshall <hubcap@omnibond.com>
Thu, 17 Mar 2016 18:33:47 +0000 (14:33 -0400)
diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c

index 75a7dde8cc5f9ddaf26326d54f6bef8c22459ead..ef5da7538cd5177f78c31542121ad36f2d24115e 100644 (file)
--- a/fs/orangefs/xattr.c
+++ b/fs/orangefs/xattr.c
@@ -394,6 +394,7 @@ try_again:
                 gossip_err("%s: impossible value for returned_count:%d:\n",
                 __func__,
                 returned_count);
+               ret = -EIO;
                 goto done;
         }
  
@@ -401,6 +402,15 @@ try_again:
          * Check to see how much can be fit in the buffer. Fit only whole keys.
          */
         for (i = 0; i < returned_count; i++) {
+               if (new_op->downcall.resp.listxattr.lengths[i] < 0 ||
+                   new_op->downcall.resp.listxattr.lengths[i] >
+                   ORANGEFS_MAX_XATTR_NAMELEN) {
+                       gossip_err("%s: impossible value for lengths[%d]\n",
+                           __func__,
+                           new_op->downcall.resp.listxattr.lengths[i]);
+                       ret = -EIO;
+                       goto done;
+               }
                 if (total + new_op->downcall.resp.listxattr.lengths[i] > size)
                         goto done;
author	Martin Brandenburg <martin@omnibond.com>
	Wed, 16 Mar 2016 18:01:43 +0000 (14:01 -0400)
committer	Mike Marshall <hubcap@omnibond.com>
	Thu, 17 Mar 2016 18:33:47 +0000 (14:33 -0400)