orangefs: sanitize listxattr and return EIO on impossible values

Signed-off-by: N Martin Brandenburg <martin@omnibond.com> Signed-off-by: N Mike Marshall <hubcap@omnibond.com>

orangefs: sanitize listxattr and return EIO on impossible values
Signed-off-by: N Martin Brandenburg <martin@omnibond.com> Signed-off-by: N Mike Marshall <hubcap@omnibond.com>
02a5cc53 · Martin Brandenburg · Mike Marshall · 5e06664f · 02a5cc53
隐藏空白更改
内联并排

Showing with 10 addition and 0 deletion

fs/orangefs/xattr.c fs/orangefs/xattr.c +10 -0

未找到文件。
--- a/fs/orangefs/xattr.c
+++ b/fs/orangefs/xattr.c
@@ -394,6 +394,7 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size)
 		gossip_err("%s: impossible value for returned_count:%d:\n",
 		__func__,
 		returned_count);
+		ret = -EIO;
 		goto done;
 	}

@@ -401,6 +402,15 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size)
 	 * Check to see how much can be fit in the buffer. Fit only whole keys.
 	 */
 	for (i = 0; i < returned_count; i++) {
+		if (new_op->downcall.resp.listxattr.lengths[i] < 0 ||
+		    new_op->downcall.resp.listxattr.lengths[i] >
+		    ORANGEFS_MAX_XATTR_NAMELEN) {
+			gossip_err("%s: impossible value for lengths[%d]\n",
+			    __func__,
+			    new_op->downcall.resp.listxattr.lengths[i]);
+			ret = -EIO;
+			goto done;
+		}
 		if (total + new_op->downcall.resp.listxattr.lengths[i] > size)
 			goto done;