staging/lustre/llite: Fix integer overflow in ll_fid2path

Reported by Dan Carpenter <dan.carpenter@oracle.com>

outsize = sizeof(*gfout) + gfin->gf_pathlen;

Where outsize is int and gf_pathlen is u32 from userspace
can lead to integer overflowwhere outsize is some small number
less than sizeof(*gfout)

Add a check for pathlen to be of sensical size.

Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Reviewed-on: http://review.whamcloud.com/11412
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-5476
Reviewed-by: Dmitry Eremin <dmitry.eremin@intel.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/lustre/lustre/llite/file.c b/drivers/staging/lustre/lustre/llite/file.c
index d3874e1..4a33638 100644 (file)
--- a/drivers/staging/lustre/lustre/llite/file.c
+++ b/drivers/staging/lustre/lustre/llite/file.c
@@ -1719,6 +1719,9 @@ int ll_fid2path(struct inode *inode, void __user *arg)
        if (get_user(pathlen, &gfin->gf_pathlen))
                return -EFAULT;
 
+       if (pathlen > PATH_MAX)
+               return -EINVAL;
+
        outsize = sizeof(*gfout) + pathlen;
 
        OBD_ALLOC(gfout, outsize);