Re: [PATCH] ocfs2/dlm: validate message payload length in query handlers

From: Joseph Qi

Date: Tue Mar 17 2026 - 08:22:37 EST



On 3/12/26 6:03 PM, Junrui Luo wrote:
> dlm_query_region_handler() and dlm_query_nodeinfo_handler() cast
> msg->buf to their respective structure pointers without validating
> that the received message length is sufficient. The o2net transport
> layer only enforces a maximum payload length, not a minimum, so a
> truncated message passes the network check and reaches the handler.
>
> This causes out-of-bounds reads from the receive page buffer when
> accessing structure fields beyond the actual payload, leading to
> operations on stale or uninitialized data.
>

OCFS2 is always deployed in trusted network.
So if not considering defensive programming, how does it happen in real
environment?

Thanks,
Joseph

> Fix by validating that len covers the full expected structure size
> before accessing any payload fields.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: ea2034416b54 ("ocfs2/dlm: Add message DLM_QUERY_REGION")
> Fixes: 18cfdf1b1a8e ("ocfs2/dlm: Add message DLM_QUERY_NODEINFO")
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> ---
> fs/ocfs2/dlm/dlmdomain.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c
> index 70ca79e4bdc3..07aef9ae8cbe 100644
> --- a/fs/ocfs2/dlm/dlmdomain.c
> +++ b/fs/ocfs2/dlm/dlmdomain.c
> @@ -1100,6 +1100,9 @@ static int dlm_query_region_handler(struct o2net_msg *msg, u32 len,
> char *local = NULL;
> int status = 0;
>
> + if (len < sizeof(struct o2net_msg) + sizeof(struct dlm_query_region))
> + return -EINVAL;
> +
> qr = (struct dlm_query_region *) msg->buf;
>
> mlog(0, "Node %u queries hb regions on domain %s\n", qr->qr_node,
> @@ -1276,6 +1279,9 @@ static int dlm_query_nodeinfo_handler(struct o2net_msg *msg, u32 len,
> struct dlm_ctxt *dlm = NULL;
> int status = -EINVAL;
>
> + if (len < sizeof(struct o2net_msg) + sizeof(struct dlm_query_nodeinfo))
> + return -EINVAL;
> +
> qn = (struct dlm_query_nodeinfo *) msg->buf;
>
> mlog(0, "Node %u queries nodes on domain %s\n", qn->qn_nodenum,
>
> ---
> base-commit: 1f318b96cc84d7c2ab792fcc0bfd42a7ca890681
> change-id: 20260312-fixes-c80f56fb6069
>
> Best regards,