diff options
| author | Ezrak1e <ezrakiez@gmail.com> | 2026-01-20 10:35:06 -0500 |
|---|---|---|
| committer | David Teigland <teigland@redhat.com> | 2026-01-20 12:07:31 -0600 |
| commit | 080e5563f878c64e697b89e7439d730d0daad882 (patch) | |
| tree | 36a0f15c475f2162f977639530701c577e52e986 /fs/dlm | |
| parent | 1416bd508c78bdfdb9ae0b4511369e5581f348ea (diff) | |
dlm: validate length in dlm_search_rsb_tree
The len parameter in dlm_dump_rsb_name() is not validated and comes
from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can
cause out-of-bounds write in dlm_search_rsb_tree().
Add length validation to prevent potential buffer overflow.
Signed-off-by: Ezrak1e <ezrakiez@gmail.com>
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Diffstat (limited to 'fs/dlm')
| -rw-r--r-- | fs/dlm/lock.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c index c01a291db401..a393ecaf3442 100644 --- a/fs/dlm/lock.c +++ b/fs/dlm/lock.c @@ -626,7 +626,8 @@ int dlm_search_rsb_tree(struct rhashtable *rhash, const void *name, int len, struct dlm_rsb **r_ret) { char key[DLM_RESNAME_MAXLEN] = {}; - + if (len > DLM_RESNAME_MAXLEN) + return -EINVAL; memcpy(key, name, len); *r_ret = rhashtable_lookup_fast(rhash, &key, dlm_rhash_rsb_params); if (*r_ret) |