From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexander Aring <aahringo@redhat.com>
Date: Fri, 13 Nov 2020 17:58:11 -0500
Subject: [Cluster-devel] [RFC PATCH dlm/next 13/16] fs: dlm: check on
	minimum header size
In-Reply-To: <20201113225814.461167-1-aahringo@redhat.com>
References: <20201113225814.461167-1-aahringo@redhat.com>
Message-ID: <20201113225814.461167-14-aahringo@redhat.com>
List-Id: <cluster-devel.redhat.com>
To: cluster-devel.redhat.com
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

As I experienced invalid header length e.g. worst-case zero triggers an
endless loop inside the receive handling, because we don't increment any
consumed bytes. This patch will add also a check for the minimum size of
a dlm message inside the dlm header length field.

Signed-off-by: Alexander Aring <aahringo@redhat.com>
---
 fs/dlm/midcomms.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c
index b146842be54a..139d87f1ba17 100644
--- a/fs/dlm/midcomms.c
+++ b/fs/dlm/midcomms.c
@@ -95,7 +95,8 @@ int dlm_process_incoming_buffer(int nodeid, unsigned char *buf, int len)
 		 * cannot deliver this message to upper layers
 		 */
 		msglen = le16_to_cpu(hd->h_length);
-		if (msglen > DEFAULT_BUFFER_SIZE) {
+		if (msglen > DEFAULT_BUFFER_SIZE ||
+		    msglen < sizeof(struct dlm_header)) {
 			log_print("received invalid length header: %u, will abort message parsing",
 				  msglen);
 			return -EBADMSG;
-- 
2.26.2