staging/lustre/lnetselftest: Fix potential integer overflow

It looks like if the passed in parameter is not present, but parameter length is non zero, then sanity checks on the length are skipped and lstcon_test_add() might then use incorrect allocation that's prone to integer overflow size. This patch ensures that parameter len is zero if parameter is not present. Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Oleg Drokin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
zhenyw · Dec 7, 2016 · 4f43d8d · 4f43d8d
1 parent 3282998
commit 4f43d8d
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/drivers/staging/lustre/lnet/selftest/conctl.c b/drivers/staging/lustre/lnet/selftest/conctl.c
@@ -742,6 +742,10 @@ static int lst_test_add_ioctl(lstio_test_args_t *args)
 	     PAGE_SIZE - sizeof(struct lstcon_test)))
 		return -EINVAL;
 
+	/* Enforce zero parameter length if there's no parameter */
+	if (!args->lstio_tes_param && args->lstio_tes_param_len)
+		return -EINVAL;
+
 	LIBCFS_ALLOC(batch_name, args->lstio_tes_bat_nmlen + 1);
 	if (!batch_name)
 		return rc;