diff options
author | Mike Marshall <hubcap@omnibond.com> | 2015-12-17 16:11:40 -0500 |
---|---|---|
committer | Mike Marshall <hubcap@omnibond.com> | 2015-12-17 16:11:40 -0500 |
commit | 62441fa53bccc69fe344e6b20be0680cca0fbc15 (patch) | |
tree | 9117e2e53e30c137046c8fb9c7752ac16792037c /fs/orangefs | |
parent | fef8b67ce6cab8e031285642b841acf5355d6788 (diff) |
Orangefs: validate resp.listxattr.returned_count
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Diffstat (limited to 'fs/orangefs')
-rw-r--r-- | fs/orangefs/xattr.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c index 0e4e01602738..8e9ccf971486 100644 --- a/fs/orangefs/xattr.c +++ b/fs/orangefs/xattr.c @@ -348,6 +348,7 @@ ssize_t orangefs_listxattr(struct dentry *dentry, char *buffer, size_t size) int count_keys = 0; int key_size; int i = 0; + int returned_count = 0; if (size > 0 && buffer == NULL) { gossip_err("%s: bogus NULL pointers\n", __func__); @@ -392,10 +393,19 @@ try_again: if (length == 0) goto done; + returned_count = new_op->downcall.resp.listxattr.returned_count; + if (returned_count < 0 || + returned_count >= ORANGEFS_MAX_XATTR_LISTLEN) { + gossip_err("%s: impossible value for returned_count:%d:\n", + __func__, + returned_count); + goto done; + } + /* * Check to see how much can be fit in the buffer. Fit only whole keys. */ - for (i = 0; i < new_op->downcall.resp.listxattr.returned_count; i++) { + for (i = 0; i < returned_count; i++) { if (total + new_op->downcall.resp.listxattr.lengths[i] > size) goto done; |