projects / deliverable / linux.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch 'simplify_PRT' into release
[deliverable/linux.git] / fs / dlm / dir.c
diff --git a/fs/dlm/dir.c b/fs/dlm/dir.c
index ff97ba924333fccfc7cbb9699753f194d47eda7b..92969f879a177b86f8809feccd483c25697950de 100644 (file)
--- a/fs/dlm/dir.c
+++ b/fs/dlm/dir.c
@@ -220,6 +220,7 @@ int dlm_recover_directory(struct dlm_ls *ls)
                last_len = 0;
 
                for (;;) {
+                       int left;
                        error = dlm_recovery_stopped(ls);
                        if (error)
                                goto out_free;
@@ -235,12 +236,21 @@ int dlm_recover_directory(struct dlm_ls *ls)
                         * pick namelen/name pairs out of received buffer
                         */
 
-                       b = ls->ls_recover_buf + sizeof(struct dlm_rcom);
+                       b = ls->ls_recover_buf->rc_buf;
+                       left = ls->ls_recover_buf->rc_header.h_length;
+                       left -= sizeof(struct dlm_rcom);
 
                        for (;;) {
-                               memcpy(&namelen, b, sizeof(uint16_t));
-                               namelen = be16_to_cpu(namelen);
-                               b += sizeof(uint16_t);
+                               __be16 v;
+
+                               error = -EINVAL;
+                               if (left < sizeof(__be16))
+                                       goto out_free;
+
+                               memcpy(&v, b, sizeof(__be16));
+                               namelen = be16_to_cpu(v);
+                               b += sizeof(__be16);
+                               left -= sizeof(__be16);
 
                                /* namelen of 0xFFFFF marks end of names for
                                   this node; namelen of 0 marks end of the
@@ -251,6 +261,12 @@ int dlm_recover_directory(struct dlm_ls *ls)
                                if (!namelen)
                                        break;
 
+                               if (namelen > left)
+                                       goto out_free;
+
+                               if (namelen > DLM_RESNAME_MAXLEN)
+                                       goto out_free;
+
                                error = -ENOMEM;
                                de = get_free_de(ls, namelen);
                                if (!de)
@@ -262,6 +278,7 @@ int dlm_recover_directory(struct dlm_ls *ls)
                                memcpy(de->name, b, namelen);
                                memcpy(last_name, b, namelen);
                                b += namelen;
+                               left -= namelen;
 
                                add_entry_to_hash(ls, de);
                                count++;
@@ -302,6 +319,9 @@ static int get_entry(struct dlm_ls *ls, int nodeid, char *name,
 
        write_unlock(&ls->ls_dirtbl[bucket].lock);
 
+       if (namelen > DLM_RESNAME_MAXLEN)
+               return -EINVAL;
+
        de = kzalloc(sizeof(struct dlm_direntry) + namelen, GFP_KERNEL);
        if (!de)
                return -ENOMEM;
@@ -354,7 +374,7 @@ void dlm_copy_master_names(struct dlm_ls *ls, char *inbuf, int inlen,
        struct list_head *list;
        struct dlm_rsb *r;
        int offset = 0, dir_nodeid;
-       uint16_t be_namelen;
+       __be16 be_namelen;
 
        down_read(&ls->ls_root_sem);
 
@@ -390,15 +410,15 @@ void dlm_copy_master_names(struct dlm_ls *ls, char *inbuf, int inlen,
 
                if (offset + sizeof(uint16_t)*2 + r->res_length > outlen) {
                        /* Write end-of-block record */
-                       be_namelen = 0;
-                       memcpy(outbuf + offset, &be_namelen, sizeof(uint16_t));
-                       offset += sizeof(uint16_t);
+                       be_namelen = cpu_to_be16(0);
+                       memcpy(outbuf + offset, &be_namelen, sizeof(__be16));
+                       offset += sizeof(__be16);
                        goto out;
                }
 
                be_namelen = cpu_to_be16(r->res_length);
-               memcpy(outbuf + offset, &be_namelen, sizeof(uint16_t));
-               offset += sizeof(uint16_t);
+               memcpy(outbuf + offset, &be_namelen, sizeof(__be16));
+               offset += sizeof(__be16);
                memcpy(outbuf + offset, r->res_name, r->res_length);
                offset += r->res_length;
        }
@@ -410,9 +430,9 @@ void dlm_copy_master_names(struct dlm_ls *ls, char *inbuf, int inlen,
 
        if ((list == &ls->ls_root_list) &&
            (offset + sizeof(uint16_t) <= outlen)) {
-               be_namelen = 0xFFFF;
-               memcpy(outbuf + offset, &be_namelen, sizeof(uint16_t));
-               offset += sizeof(uint16_t);
+               be_namelen = cpu_to_be16(0xFFFF);
+               memcpy(outbuf + offset, &be_namelen, sizeof(__be16));
+               offset += sizeof(__be16);
        }
 
  out:
Linux kernel - Deliverables
This page took 0.026055 seconds and 5 git commands to generate.