This patch adds checks for the dlm header size that the parsing loop
will not stop on messages which are dlm header only and rejects msglen
field of the dlm header which are less than dlm header size. A msglen
field cannot be less than the dlm header size because the field is
inclusive header lengths.
Signed-off-by: Alexander Aring <aahri...@redhat.com>
---
fs/dlm/midcomms.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c
index fde3a6afe4be..7cda8e4be6fc 100644
--- a/fs/dlm/midcomms.c
+++ b/fs/dlm/midcomms.c
@@ -42,16 +42,17 @@ int dlm_process_incoming_buffer(int nodeid, unsigned char
*buf, int len)
uint16_t msglen;
int ret = 0;
- while (len >= sizeof(struct dlm_header)) {
+ while (len > sizeof(struct dlm_header)) {
hd = (struct dlm_header *)ptr;
/* no message should be more than this otherwise we
* cannot deliver this message to upper layers
*/
msglen = get_unaligned_le16(&hd->h_length);
- if (msglen > DEFAULT_BUFFER_SIZE) {
- log_print("received invalid length header: %u, will
abort message parsing",
- msglen);
+ if (msglen > DEFAULT_BUFFER_SIZE ||
+ msglen < sizeof(struct dlm_header)) {
+ log_print("received invalid length header: %u from node
%d, will abort message parsing",
+ msglen, nodeid);
return -EBADMSG;
}
--
2.26.2
