orangefs: sanitize listxattr and return EIO on impossible values
Signed-off-by: Martin Brandenburg <martin@omnibond.com> Signed-off-by: Mike Marshall <hubcap@omnibond.com>
This commit is contained in:
parent
5e06664f29
commit
02a5cc537d
|
@ -394,6 +394,7 @@ try_again:
|
||||||
gossip_err("%s: impossible value for returned_count:%d:\n",
|
gossip_err("%s: impossible value for returned_count:%d:\n",
|
||||||
__func__,
|
__func__,
|
||||||
returned_count);
|
returned_count);
|
||||||
|
ret = -EIO;
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -401,6 +402,15 @@ try_again:
|
||||||
* Check to see how much can be fit in the buffer. Fit only whole keys.
|
* Check to see how much can be fit in the buffer. Fit only whole keys.
|
||||||
*/
|
*/
|
||||||
for (i = 0; i < returned_count; i++) {
|
for (i = 0; i < returned_count; i++) {
|
||||||
|
if (new_op->downcall.resp.listxattr.lengths[i] < 0 ||
|
||||||
|
new_op->downcall.resp.listxattr.lengths[i] >
|
||||||
|
ORANGEFS_MAX_XATTR_NAMELEN) {
|
||||||
|
gossip_err("%s: impossible value for lengths[%d]\n",
|
||||||
|
__func__,
|
||||||
|
new_op->downcall.resp.listxattr.lengths[i]);
|
||||||
|
ret = -EIO;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
if (total + new_op->downcall.resp.listxattr.lengths[i] > size)
|
if (total + new_op->downcall.resp.listxattr.lengths[i] > size)
|
||||||
goto done;
|
goto done;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue