Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
3
-
9223372036854775807
Description
In mdt_getxattr() we have the following:
if (valid == OBD_MD_FLXATTR) {
const char *xattr_name = req_capsule_client_get(info->mti_pill,
&RMF_NAME);
rc = mo_xattr_get(info->mti_env, next, buf, xattr_name);
rc = mdt_nodemap_map_acl(info, buf->lb_buf, rc, xattr_name,
NODEMAP_FS_TO_CLIENT);
} ...
If rc is negative then when passed to the size_t size parameter of mdt_nodemap_map_acl() it becomes very large and may be replaced with -ERANGE.
static int mdt_nodemap_map_acl(struct mdt_thread_info *info, void *buf, size_t size, const char *name, enum nodemap_tree_type tree_type) { struct lu_nodemap *nodemap; struct obd_export *exp = info->mti_exp; int rc = size; ENTRY; if (strcmp(name, XATTR_NAME_ACL_ACCESS) == 0 || strcmp(name, XATTR_NAME_ACL_DEFAULT) == 0) { if (size > info->mti_mdt->mdt_max_ea_size || (!exp_connect_large_acl(exp) && size > LUSTRE_POSIX_ACL_MAX_SIZE_OLD)) GOTO(out, rc = -ERANGE); nodemap = nodemap_get_from_exp(exp); if (IS_ERR(nodemap)) GOTO(out, rc = PTR_ERR(nodemap)); rc = nodemap_map_acl(nodemap, buf, size, tree_type); nodemap_putref(nodemap); if (rc < 0) GOTO(out, rc); } out: RETURN(rc); }
I noticed this while looking at LU-11074 but this is not the underlying cause of that bug.