dlm: validate length in dlm_search_rsb_tree

The len parameter in dlm_dump_rsb_name() is not validated and comes
from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can
cause out-of-bounds write in dlm_search_rsb_tree().

Add length validation to prevent potential buffer overflow.

Signed-off-by: Ezrak1e <ezrakiez@gmail.com>
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>

diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
index c01a291db401bd95d7296d6bfdd42e65ccfac197..a393ecaf3442ac16d96d835d5c3c14b0528c17ee 100644 (file)
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -626,7 +626,8 @@ int dlm_search_rsb_tree(struct rhashtable *rhash, const void *name, int len,
                        struct dlm_rsb **r_ret)
 {
        char key[DLM_RESNAME_MAXLEN] = {};
-
+       if (len > DLM_RESNAME_MAXLEN)
+               return -EINVAL;
        memcpy(key, name, len);
        *r_ret = rhashtable_lookup_fast(rhash, &key, dlm_rhash_rsb_params);
        if (*r_ret)