Commit 092e0d0e authored Mar 13, 2026 by HyungJung Joo Committed by Mike Marshall Apr 07, 2026

orangefs: validate getxattr response length



orangefs_inode_getxattr() trusts the userspace-client-controlled
downcall.resp.getxattr.val_sz and uses it as a memcpy() length
both for the temporary user buffer and the cached xattr buffer.
Reject malformed negative or oversized lengths before copying
response bytes.

Reported-by: Hyungjung Joo <jhj140711@gmail.com>
Signed-off-by: HyungJung Joo <jhj140711@gmail.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>

parent 415e507c

fs/orangefs/xattr.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -188,6 +188,10 @@ ssize_t orangefs_inode_getxattr(struct inode inode, const char name,
		* Length returned includes null terminator.
		*/
		length = new_op->downcall.resp.getxattr.val_sz;
		if (length < 0 \|\| length > ORANGEFS_MAX_XATTR_VALUELEN) {
		ret = -EIO;
		goto out_release_op;
		}

		/*
		* Just return the length of the queried attribute.