summaryrefslogtreecommitdiff
path: root/fs/orangefs
diff options
context:
space:
mode:
authorMike Marshall <hubcap@omnibond.com>2015-12-17 16:11:40 -0500
committerMike Marshall <hubcap@omnibond.com>2015-12-17 16:11:40 -0500
commit62441fa53bccc69fe344e6b20be0680cca0fbc15 (patch)
tree9117e2e53e30c137046c8fb9c7752ac16792037c /fs/orangefs
parentfef8b67ce6cab8e031285642b841acf5355d6788 (diff)
Orangefs: validate resp.listxattr.returned_count
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Diffstat (limited to 'fs/orangefs')
-rw-r--r--fs/orangefs/xattr.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c
index 0e4e01602738..8e9ccf971486 100644
--- a/fs/orangefs/xattr.c
+++ b/fs/orangefs/xattr.c
@@ -348,6 +348,7 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size)
int count_keys = 0;
int key_size;
int i = 0;
+ int returned_count = 0;
if (size > 0 && buffer == NULL) {
gossip_err("%s: bogus NULL pointers\n", __func__);
@@ -392,10 +393,19 @@ try_again:
if (length == 0)
goto done;
+ returned_count = new_op->downcall.resp.listxattr.returned_count;
+ if (returned_count < 0 ||
+ returned_count >= ORANGEFS_MAX_XATTR_LISTLEN) {
+ gossip_err("%s: impossible value for returned_count:%d:\n",
+ __func__,
+ returned_count);
+ goto done;
+ }
+
/*
* Check to see how much can be fit in the buffer. Fit only whole keys.
*/
- for (i = 0; i < new_op->downcall.resp.listxattr.returned_count; i++) {
+ for (i = 0; i < returned_count; i++) {
if (total + new_op->downcall.resp.listxattr.lengths[i] > size)
goto done;