From: Patrick Caulfeld <pcaulfie@redhat.com> Date: Fri, 18 Jan 2008 17:40:35 +0000 Subject: [dlm] validate lock name length Message-id: 4790E493.1090301@redhat.com O-Subject: [RHEL5.2 PATCH] dlm: Validate lock name length Bugzilla: 409221 The namelen variable is not validated when copying from 32 to 64 bit structures so a user can put a garbage value into it and cause a memory overwrite. This bug checks the namelen is within a valid range. Signed-Off-By: Patrick Caulfield <pcaulfie@redhat.com> diff --git a/fs/dlm/user.c b/fs/dlm/user.c index c6b40c9..c19eac7 100644 --- a/fs/dlm/user.c +++ b/fs/dlm/user.c @@ -83,7 +83,8 @@ struct dlm_lock_result32 { }; static void compat_input(struct dlm_write_request *kb, - struct dlm_write_request32 *kb32) + struct dlm_write_request32 *kb32, + int max_namelen) { kb->version[0] = kb32->version[0]; kb->version[1] = kb32->version[1]; @@ -113,7 +114,10 @@ static void compat_input(struct dlm_write_request *kb, kb->i.lock.bastaddr = (void *)(long)kb32->i.lock.bastaddr; kb->i.lock.lksb = (void *)(long)kb32->i.lock.lksb; memcpy(kb->i.lock.lvb, kb32->i.lock.lvb, DLM_USER_LVB_LEN); - memcpy(kb->i.lock.name, kb32->i.lock.name, kb->i.lock.namelen); + if (kb->i.lock.namelen <= max_namelen) + memcpy(kb->i.lock.name, kb32->i.lock.name, kb->i.lock.namelen); + else + kb->i.lock.namelen = max_namelen; } } @@ -530,7 +534,7 @@ static ssize_t device_write(struct file *file, const char __user *buf, if (proc) set_bit(DLM_PROC_FLAGS_COMPAT, &proc->flags); - compat_input(kbuf, k32buf); + compat_input(kbuf, k32buf, count - sizeof(struct dlm_write_request32)); kfree(k32buf); } #endif