dlm: dlm_process_incoming_buffer() fixes
* check that length is large enough to cover the non-variable part of message or rcom resp. (after checking that it's large enough to cover the header, of course). * kill more pointless casts Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David Teigland <teigland@redhat.com>
This commit is contained in:
Al Viro
David Teigland
@ -61,9 +61,9 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
|
||||
union {
|
||||
unsigned char __buf[DLM_INBUF_LEN];
|
||||
/* this is to force proper alignment on some arches */
|
||||
struct dlm_header dlm;
|
||||
union dlm_packet p;
|
||||
} __tmp;
|
||||
struct dlm_header *msg = &__tmp.dlm;
|
||||
union dlm_packet *p = &__tmp.p;
|
||||
int ret = 0;
|
||||
int err = 0;
|
||||
uint16_t msglen;
|
||||
@ -75,15 +75,22 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
|
||||
message may wrap around the end of the buffer back to the
|
||||
start, so we need to use a temp buffer and copy_from_cb. */
|
||||
|
||||
copy_from_cb(msg, base, offset, sizeof(struct dlm_header),
|
||||
copy_from_cb(p, base, offset, sizeof(struct dlm_header),
|
||||
limit);
|
||||
|
||||
msglen = le16_to_cpu(msg->h_length);
|
||||
lockspace = msg->h_lockspace;
|
||||
msglen = le16_to_cpu(p->header.h_length);
|
||||
lockspace = p->header.h_lockspace;
|
||||
|
||||
err = -EINVAL;
|
||||
if (msglen < sizeof(struct dlm_header))
|
||||
break;
|
||||
if (p->header.h_cmd == DLM_MSG) {
|
||||
if (msglen < sizeof(struct dlm_message))
|
||||
break;
|
||||
} else {
|
||||
if (msglen < sizeof(struct dlm_rcom))
|
||||
break;
|
||||
}
|
||||
err = -E2BIG;
|
||||
if (msglen > dlm_config.ci_buffer_size) {
|
||||
log_print("message size %d from %d too big, buf len %d",
|
||||
@ -104,26 +111,26 @@ int dlm_process_incoming_buffer(int nodeid, const void *base,
|
||||
in the buffer on the stack (which should work for most
|
||||
ordinary messages). */
|
||||
|
||||
if (msglen > DLM_INBUF_LEN && msg == &__tmp.dlm) {
|
||||
msg = kmalloc(dlm_config.ci_buffer_size, GFP_KERNEL);
|
||||
if (msg == NULL)
|
||||
if (msglen > sizeof(__tmp) && p == &__tmp.p) {
|
||||
p = kmalloc(dlm_config.ci_buffer_size, GFP_KERNEL);
|
||||
if (p == NULL)
|
||||
return ret;
|
||||
}
|
||||
|
||||
copy_from_cb(msg, base, offset, msglen, limit);
|
||||
copy_from_cb(p, base, offset, msglen, limit);
|
||||
|
||||
BUG_ON(lockspace != msg->h_lockspace);
|
||||
BUG_ON(lockspace != p->header.h_lockspace);
|
||||
|
||||
ret += msglen;
|
||||
offset += msglen;
|
||||
offset &= (limit - 1);
|
||||
len -= msglen;
|
||||
|
||||
dlm_receive_buffer(msg, nodeid);
|
||||
dlm_receive_buffer(p, nodeid);
|
||||
}
|
||||
|
||||
if (msg != &__tmp.dlm)
|
||||
kfree(msg);
|
||||
if (p != &__tmp.p)
|
||||
kfree(p);
|
||||
|
||||
return err ? err : ret;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user