提交 2b75bc91 编写于 作者: S Sasha Levin 提交者: David Teigland

dlm: check the maximum size of a request from user

device_write only checks whether the request size is big enough, but it doesn't
check if the size is too big.

At that point, it also tries to allocate as much memory as the user has requested
even if it's too much. This can lead to OOM killer kicking in, or memory corruption
if (count + 1) overflows.
Signed-off-by: NSasha Levin <levinsasha928@gmail.com>
Signed-off-by: NDavid Teigland <teigland@redhat.com>
上级 9c5bef58
......@@ -503,6 +503,13 @@ static ssize_t device_write(struct file *file, const char __user *buf,
#endif
return -EINVAL;
#ifdef CONFIG_COMPAT
if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN)
#else
if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
#endif
return -EINVAL;
kbuf = kzalloc(count + 1, GFP_NOFS);
if (!kbuf)
return -ENOMEM;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册