sa_lookup() ignores buffer size.

When retrieving a system attribute, the size of the supplied buffer is ignored. If the buffer is too small to hold the attribute, sa_attr_op() will write past the end of the buffer. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Jason King <jking@racktopsystems.com> Closes #15476
2024-10-15 04:43:53 +00:00 · 2023-11-07 14:11:48 -06:00 · 2023-11-07 14:11:48 -06:00 · 3d86999c75
parent 78ac868824
commit 3d86999c75
1 changed files with 2 additions and 1 deletions
--- a/module/zfs/sa.c
+++ b/module/zfs/sa.c
@ -23,6 +23,7 @@
 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
 * Copyright (c) 2013, 2017 by Delphix. All rights reserved.
 * Copyright (c) 2014 Spectra Logic Corporation, All rights reserved.
+ * Copyright 2023 RackTop Systems, Inc.
 */

 #include <sys/zfs_context.h>
@ -369,7 +370,7 @@ sa_attr_op(sa_handle_t *hdl, sa_bulk_attr_t *bulk, int count,
 			if (bulk[i].sa_data) {
 				SA_COPY_DATA(bulk[i].sa_data_func,
 				    bulk[i].sa_addr, bulk[i].sa_data,
-				    bulk[i].sa_size);
+				    MIN(bulk[i].sa_size, bulk[i].sa_length));
 			}
 			continue;