diff options
author | Miklos Szeredi <mszeredi@suse.cz> | 2010-11-30 16:39:27 +0100 |
---|---|---|
committer | Miklos Szeredi <mszeredi@suse.cz> | 2010-11-30 16:39:27 +0100 |
commit | 7572777eef78ebdee1ecb7c258c0ef94d35bad16 (patch) | |
tree | 04bb06d75688912ac14855146dc013703529403d /fs/fuse/file.c | |
parent | d9d318d39dd5cb686660504a3565aac453709ccc (diff) | |
download | lwn-7572777eef78ebdee1ecb7c258c0ef94d35bad16.tar.gz lwn-7572777eef78ebdee1ecb7c258c0ef94d35bad16.zip |
fuse: verify ioctl retries
Verify that the total length of the iovec returned in FUSE_IOCTL_RETRY
doesn't overflow iov_length().
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
CC: Tejun Heo <tj@kernel.org>
CC: <stable@kernel.org> [2.6.31+]
Diffstat (limited to 'fs/fuse/file.c')
-rw-r--r-- | fs/fuse/file.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 0e2e25b114a6..8b984a2cebbd 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -1666,6 +1666,20 @@ static int fuse_copy_ioctl_iovec(struct iovec *dst, void *src, return 0; } +/* Make sure iov_length() won't overflow */ +static int fuse_verify_ioctl_iov(struct iovec *iov, size_t count) +{ + size_t n; + u32 max = FUSE_MAX_PAGES_PER_REQ << PAGE_SHIFT; + + for (n = 0; n < count; n++) { + if (iov->iov_len > (size_t) max) + return -ENOMEM; + max -= iov->iov_len; + } + return 0; +} + /* * For ioctls, there is no generic way to determine how much memory * needs to be read and/or written. Furthermore, ioctls are allowed @@ -1858,6 +1872,14 @@ long fuse_do_ioctl(struct file *file, unsigned int cmd, unsigned long arg, in_iov = page_address(iov_page); out_iov = in_iov + in_iovs; + err = fuse_verify_ioctl_iov(in_iov, in_iovs); + if (err) + goto out; + + err = fuse_verify_ioctl_iov(out_iov, out_iovs); + if (err) + goto out; + goto retry; } |