From 4f43d8dbe634cc79c4b45cc088d066768c0359d2 Mon Sep 17 00:00:00 2001 From: Oleg Drokin Date: Wed, 7 Dec 2016 00:39:27 -0500 Subject: staging/lustre/lnetselftest: Fix potential integer overflow It looks like if the passed in parameter is not present, but parameter length is non zero, then sanity checks on the length are skipped and lstcon_test_add() might then use incorrect allocation that's prone to integer overflow size. This patch ensures that parameter len is zero if parameter is not present. Reported-by: Dan Carpenter Signed-off-by: Oleg Drokin Signed-off-by: Greg Kroah-Hartman --- drivers/staging/lustre/lnet/selftest/conctl.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'drivers/staging') diff --git a/drivers/staging/lustre/lnet/selftest/conctl.c b/drivers/staging/lustre/lnet/selftest/conctl.c index 02847bfdd864..94383023c1be 100644 --- a/drivers/staging/lustre/lnet/selftest/conctl.c +++ b/drivers/staging/lustre/lnet/selftest/conctl.c @@ -742,6 +742,10 @@ static int lst_test_add_ioctl(lstio_test_args_t *args) PAGE_SIZE - sizeof(struct lstcon_test))) return -EINVAL; + /* Enforce zero parameter length if there's no parameter */ + if (!args->lstio_tes_param && args->lstio_tes_param_len) + return -EINVAL; + LIBCFS_ALLOC(batch_name, args->lstio_tes_bat_nmlen + 1); if (!batch_name) return rc; -- cgit v1.2.3