From: Patrick Caulfeld <pcaulfie@redhat.com>
Date: Fri, 18 Jan 2008 17:40:35 +0000
Subject: [dlm] validate lock name length
Message-id: 4790E493.1090301@redhat.com
O-Subject: [RHEL5.2 PATCH] dlm: Validate lock name length
Bugzilla: 409221

The namelen variable is not validated when copying from 32 to 64 bit
structures so a user can put a garbage value into it and cause a memory
overwrite.

This bug checks the namelen is within a valid range.

Signed-Off-By: Patrick Caulfield <pcaulfie@redhat.com>

diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index c6b40c9..c19eac7 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -83,7 +83,8 @@ struct dlm_lock_result32 {
 };
 
 static void compat_input(struct dlm_write_request *kb,
-			 struct dlm_write_request32 *kb32)
+			 struct dlm_write_request32 *kb32,
+			 int max_namelen)
 {
 	kb->version[0] = kb32->version[0];
 	kb->version[1] = kb32->version[1];
@@ -113,7 +114,10 @@ static void compat_input(struct dlm_write_request *kb,
 		kb->i.lock.bastaddr = (void *)(long)kb32->i.lock.bastaddr;
 		kb->i.lock.lksb = (void *)(long)kb32->i.lock.lksb;
 		memcpy(kb->i.lock.lvb, kb32->i.lock.lvb, DLM_USER_LVB_LEN);
-		memcpy(kb->i.lock.name, kb32->i.lock.name, kb->i.lock.namelen);
+		if (kb->i.lock.namelen <= max_namelen)
+			memcpy(kb->i.lock.name, kb32->i.lock.name, kb->i.lock.namelen);
+		else
+			kb->i.lock.namelen = max_namelen;
 	}
 }
 
@@ -530,7 +534,7 @@ static ssize_t device_write(struct file *file, const char __user *buf,
 
 		if (proc)
 			set_bit(DLM_PROC_FLAGS_COMPAT, &proc->flags);
-		compat_input(kbuf, k32buf);
+		compat_input(kbuf, k32buf, count - sizeof(struct dlm_write_request32));
 		kfree(k32buf);
 	}
 #endif