Commit 02a5cc53 authored by Martin Brandenburg's avatar Martin Brandenburg Committed by Mike Marshall

orangefs: sanitize listxattr and return EIO on impossible values

Signed-off-by: default avatarMartin Brandenburg <martin@omnibond.com>
Signed-off-by: default avatarMike Marshall <hubcap@omnibond.com>
parent 5e06664f
...@@ -394,6 +394,7 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size) ...@@ -394,6 +394,7 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size)
gossip_err("%s: impossible value for returned_count:%d:\n", gossip_err("%s: impossible value for returned_count:%d:\n",
__func__, __func__,
returned_count); returned_count);
ret = -EIO;
goto done; goto done;
} }
...@@ -401,6 +402,15 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size) ...@@ -401,6 +402,15 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size)
* Check to see how much can be fit in the buffer. Fit only whole keys. * Check to see how much can be fit in the buffer. Fit only whole keys.
*/ */
for (i = 0; i < returned_count; i++) { for (i = 0; i < returned_count; i++) {
if (new_op->downcall.resp.listxattr.lengths[i] < 0 ||
new_op->downcall.resp.listxattr.lengths[i] >
ORANGEFS_MAX_XATTR_NAMELEN) {
gossip_err("%s: impossible value for lengths[%d]\n",
__func__,
new_op->downcall.resp.listxattr.lengths[i]);
ret = -EIO;
goto done;
}
if (total + new_op->downcall.resp.listxattr.lengths[i] > size) if (total + new_op->downcall.resp.listxattr.lengths[i] > size)
goto done; goto done;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment