dlm: check the maximum size of a request from user

device_write only checks whether the request size is big enough, but it doesn't
check if the size is too big.

At that point, it also tries to allocate as much memory as the user has requested
even if it's too much. This can lead to OOM killer kicking in, or memory corruption
if (count + 1) overflows.

Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: David Teigland <teigland@redhat.com>

diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index eb4ed9ba3098198e8d1db357db48c8f6e9e2ff34..7ff49852b0cb75163ff9646dfb16195678971899 100644 (file)
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -503,6 +503,13 @@ static ssize_t device_write(struct file *file, const char __user *buf,
 #endif
                return -EINVAL;
 
+#ifdef CONFIG_COMPAT
+       if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN)
+#else
+       if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
+#endif
+               return -EINVAL;
+
        kbuf = kzalloc(count + 1, GFP_NOFS);
        if (!kbuf)
                return -ENOMEM;