diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2015-10-09 17:51:36 -0400 |
|---|---|---|
| committer | Mike Marshall <hubcap@omnibond.com> | 2015-11-13 11:57:34 -0500 |
| commit | ade1d48b788996e05fb9914dfb62993b1c279357 (patch) | |
| tree | 7f128f91c99aa8686999f1328b48b2f0648a4cb9 /fs/orangefs | |
| parent | 9be68b08719c10cc3cc9305e7b2452475a9dcacd (diff) | |
| download | blackbird-op-linux-ade1d48b788996e05fb9914dfb62993b1c279357.tar.gz blackbird-op-linux-ade1d48b788996e05fb9914dfb62993b1c279357.zip | |
orangefs: don't leave uninitialized data in ->trailer_buf
minimal fix; it would be better to reject such requests outright.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Diffstat (limited to 'fs/orangefs')
| -rw-r--r-- | fs/orangefs/devpvfs2-req.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/fs/orangefs/devpvfs2-req.c b/fs/orangefs/devpvfs2-req.c index ede842f05b62..7a719900235f 100644 --- a/fs/orangefs/devpvfs2-req.c +++ b/fs/orangefs/devpvfs2-req.c @@ -352,18 +352,20 @@ static ssize_t pvfs2_devreq_writev(struct file *file, * to reset trailer size on op errors. */ if (op->downcall.status == 0 && op->downcall.trailer_size > 0) { + __u64 trailer_size = op->downcall.trailer_size; + size_t size; gossip_debug(GOSSIP_DEV_DEBUG, "writev: trailer size %ld\n", - (unsigned long)op->downcall.trailer_size); + (unsigned long)size); if (count != (notrailer_count + 1)) { - gossip_err("Error: trailer size (%ld) is non-zero, no trailer elements though? (%zu)\n", (unsigned long)op->downcall.trailer_size, count); + gossip_err("Error: trailer size (%ld) is non-zero, no trailer elements though? (%zu)\n", (unsigned long)trailer_size, count); dev_req_release(buffer); put_op(op); return -EPROTO; } - if (iov[notrailer_count].iov_len > - op->downcall.trailer_size) { - gossip_err("writev error: trailer size (%ld) != iov_len (%ld)\n", (unsigned long)op->downcall.trailer_size, (unsigned long)iov[notrailer_count].iov_len); + size = iov[notrailer_count].iov_len; + if (size > trailer_size) { + gossip_err("writev error: trailer size (%ld) != iov_len (%zd)\n", (unsigned long)trailer_size, size); dev_req_release(buffer); put_op(op); return -EMSGSIZE; @@ -371,16 +373,14 @@ static ssize_t pvfs2_devreq_writev(struct file *file, /* Allocate a buffer large enough to hold the * trailer bytes. */ - op->downcall.trailer_buf = - vmalloc(op->downcall.trailer_size); + op->downcall.trailer_buf = vmalloc(trailer_size); if (op->downcall.trailer_buf != NULL) { gossip_debug(GOSSIP_DEV_DEBUG, "vmalloc: %p\n", op->downcall.trailer_buf); ret = copy_from_user(op->downcall.trailer_buf, iov[notrailer_count]. iov_base, - iov[notrailer_count]. - iov_len); + size); if (ret) { gossip_err("Failed to copy trailer data from user space\n"); dev_req_release(buffer); @@ -392,6 +392,8 @@ static ssize_t pvfs2_devreq_writev(struct file *file, put_op(op); return -EIO; } + memset(op->downcall.trailer_buf + size, 0, + trailer_size - size); } else { /* Change downcall status */ op->downcall.status = -ENOMEM; |
