From df42d6ed7eeb10812003a80dd724833f6b41583a Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri, 25 Jan 2008 04:08:09 -0500
Subject: [PATCH] --- yaml --- r: 84887 b: refs/heads/master c:
 cd9df1aac346f1c7f592739d092ff710c27bbcde h: refs/heads/master i:   84885:
 5b5a021ef9f9c57851ceda6c3d3a0c481bca0d5e   84883:
 be1d4b1faaa6bbaab68b0f8c78df85c7cb1b8812   84879:
 0b8f4f5e0b227751707caa2c1f04dcbd9ade0dd9 v: v3

---
 [refs]             |  2 +-
 trunk/fs/dlm/dir.c | 23 ++++++++++++++++++++---
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/[refs] b/[refs]
index 0397b4dbfad3..314e26ad1bba 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 02ed16b64dc5b7a4f78476bdb64da9bbf88d84b3
+refs/heads/master: cd9df1aac346f1c7f592739d092ff710c27bbcde
diff --git a/trunk/fs/dlm/dir.c b/trunk/fs/dlm/dir.c
index ce30136671b3..831050e5bfd5 100644
--- a/trunk/fs/dlm/dir.c
+++ b/trunk/fs/dlm/dir.c
@@ -220,6 +220,7 @@ int dlm_recover_directory(struct dlm_ls *ls)
 		last_len = 0;
 
 		for (;;) {
+			int left;
 			error = dlm_recovery_stopped(ls);
 			if (error)
 				goto out_free;
@@ -236,11 +237,20 @@ int dlm_recover_directory(struct dlm_ls *ls)
 			 */
 
 			b = ls->ls_recover_buf->rc_buf;
+			left = ls->ls_recover_buf->rc_header.h_length;
+			left -= sizeof(struct dlm_rcom);
 
 			for (;;) {
-				memcpy(&namelen, b, sizeof(uint16_t));
-				namelen = be16_to_cpu(namelen);
-				b += sizeof(uint16_t);
+				__be16 v;
+
+				error = -EINVAL;
+				if (left < sizeof(__be16))
+					goto out_free;
+
+				memcpy(&v, b, sizeof(__be16));
+				namelen = be16_to_cpu(v);
+				b += sizeof(__be16);
+				left -= sizeof(__be16);
 
 				/* namelen of 0xFFFFF marks end of names for
 				   this node; namelen of 0 marks end of the
@@ -251,6 +261,12 @@ int dlm_recover_directory(struct dlm_ls *ls)
 				if (!namelen)
 					break;
 
+				if (namelen > left)
+					goto out_free;
+
+				if (namelen > DLM_RESNAME_MAXLEN)
+					goto out_free;
+
 				error = -ENOMEM;
 				de = get_free_de(ls, namelen);
 				if (!de)
@@ -262,6 +278,7 @@ int dlm_recover_directory(struct dlm_ls *ls)
 				memcpy(de->name, b, namelen);
 				memcpy(last_name, b, namelen);
 				b += namelen;
+				left -= namelen;
 
 				add_entry_to_hash(ls, de);
 				count++;