As I experienced invalid header length e.g. worst-case zero triggers an endless loop inside the receive handling, because we don't increment any consumed bytes. This patch will add also a check for the minimum size of a dlm message inside the dlm header length field.
Signed-off-by: Alexander Aring <[email protected]> --- fs/dlm/midcomms.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c index b146842be54a..139d87f1ba17 100644 --- a/fs/dlm/midcomms.c +++ b/fs/dlm/midcomms.c @@ -95,7 +95,8 @@ int dlm_process_incoming_buffer(int nodeid, unsigned char *buf, int len) * cannot deliver this message to upper layers */ msglen = le16_to_cpu(hd->h_length); - if (msglen > DEFAULT_BUFFER_SIZE) { + if (msglen > DEFAULT_BUFFER_SIZE || + msglen < sizeof(struct dlm_header)) { log_print("received invalid length header: %u, will abort message parsing", msglen); return -EBADMSG; -- 2.26.2
