From b47eead0db4146189232bca06d26d6cb4d26fdac Mon Sep 17 00:00:00 2001
From: waterwin <qianjiaxing@huawei.com>
Date: Tue, 18 Jul 2023 03:40:44 +0000
Subject: [PATCH] hmdfs:xattr overflow

Signed-off-by: waterwin <qianjiaxing@huawei.com>
---
 fs/hmdfs/comm/message_verify.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/fs/hmdfs/comm/message_verify.c b/fs/hmdfs/comm/message_verify.c
index 0fd80c41629e..ea325e3a1085 100644
--- a/fs/hmdfs/comm/message_verify.c
+++ b/fs/hmdfs/comm/message_verify.c
@@ -694,6 +694,10 @@ static int verify_getxattr_req(size_t msg_len, void *msg)
 	if (msg_len != sizeof(*req) + req->path_len + 1 + req->name_len + 1)
 		return -EINVAL;
 	
+	if (req->name_len > XATTR_NAME_MAX || req->size < 0 ||
+	    req->size > XATTR_SIZE_MAX)
+		return -EINVAL;
+
 	if (is_str_msg_valid(req->buf, str_len, sizeof(str_len) / sizeof(int)))
 		return -EINVAL;
 
@@ -707,6 +711,9 @@ static int verify_getxattr_resp(size_t msg_len, void *msg)
 	if (msg_len < sizeof(*resp))
 		return -EINVAL;
 
+	if (resp->size > XATTR_SIZE_MAX)
+		return -EINVAL;
+
 	return 0;
 }
 
@@ -734,6 +741,10 @@ static int verify_setxattr_req(size_t msg_len, void *msg)
 		req->size)
 		return -EINVAL;
 
+	if (req->name_len > XATTR_NAME_MAX || req->size < 0 ||
+	    req->size > XATTR_SIZE_MAX)
+		return -EINVAL;
+
 	if (is_str_msg_valid(req->buf, str_len, sizeof(str_len) / sizeof(int)))
 		return -EINVAL;
 
@@ -762,6 +773,9 @@ static int verify_listxattr_req(size_t msg_len, void *msg)
 	if (msg_len != sizeof(*req) + req->path_len + 1)
 		return -EINVAL;
 
+	if (req->size < 0 || req->size > XATTR_LIST_MAX)
+		return -EINVAL;
+
 	if (is_str_msg_valid(req->buf, str_len, sizeof(str_len) / sizeof(int)))
 		return -EINVAL;
 
@@ -775,6 +789,9 @@ static int verify_listxattr_resp(size_t msg_len, void *msg)
 	if (msg_len < sizeof(*resp))
 		return -EINVAL;
 
+	if (resp->size > XATTR_LIST_MAX)
+		return -EINVAL;
+
 	return 0;
 }
 
-- 
Gitee