From: Oleg Drokin <green@linuxhacker.ru>
Date: Wed, 7 Dec 2016 05:39:27 +0000 (-0500)
Subject: staging/lustre/lnetselftest: Fix potential integer overflow
X-Git-Tag: microblaze-4.13-rc1~1101^2~8
X-Git-Url: http://git.monstr.eu/?a=commitdiff_plain;h=4f43d8dbe634cc79c4b45cc088d066768c0359d2;p=linux-2.6-microblaze.git

staging/lustre/lnetselftest: Fix potential integer overflow

It looks like if the passed in parameter is not present, but
parameter length is non zero, then sanity checks on the length
are skipped and lstcon_test_add() might then use incorrect
allocation that's prone to integer overflow size.

This patch ensures that parameter len is zero if parameter is
not present.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Oleg Drokin <green@linuxhacker.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/staging/lustre/lnet/selftest/conctl.c b/drivers/staging/lustre/lnet/selftest/conctl.c
index 02847bfdd864..94383023c1be 100644
--- a/drivers/staging/lustre/lnet/selftest/conctl.c
+++ b/drivers/staging/lustre/lnet/selftest/conctl.c
@@ -742,6 +742,10 @@ static int lst_test_add_ioctl(lstio_test_args_t *args)
 	     PAGE_SIZE - sizeof(struct lstcon_test)))
 		return -EINVAL;
 
+	/* Enforce zero parameter length if there's no parameter */
+	if (!args->lstio_tes_param && args->lstio_tes_param_len)
+		return -EINVAL;
+
 	LIBCFS_ALLOC(batch_name, args->lstio_tes_bat_nmlen + 1);
 	if (!batch_name)
 		return rc;