@@ -2127,6 +2127,11 @@ static rtapi_u16 crc_modbus(const rtapi_u8 *buffer, size_t len)
21272127/* Mbccb file read and validation */
21282128/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
21292129
2130+ // We shouldn't even run into the mbccb file size limit with 1024 inits, 1024
2131+ // commands and 1024 pins. But it surely spares us from crashing the
2132+ // application or kernel if we try to allocate too large a chunk.
2133+ #define MBCCB_SIZE_MAX (128*1024)
2134+
21302135#if !defined(__KERNEL__ )
21312136// Userspace file read
21322137static ssize_t read_mbccb (const hm2_modbus_inst_t * inst , const char * fname , hm2_modbus_mbccb_header_t * * pmbccb )
@@ -2153,6 +2158,13 @@ static ssize_t read_mbccb(const hm2_modbus_inst_t *inst, const char *fname, hm2_
21532158 return rv ;
21542159 }
21552160
2161+ // Limit the mbccb file to a sane size
2162+ if (sb .st_size > MBCCB_SIZE_MAX ) {
2163+ MSG_ERR ("%s: error: Mbccb file '%s' too large (%zd > %d bytes)\n" , inst -> name , fname , (ssize_t )sb .st_size , MBCCB_SIZE_MAX );
2164+ close (fd );
2165+ return - EFBIG ;
2166+ }
2167+
21562168 // Allocate memory
21572169 * pmbccb = rtapi_kzalloc (sb .st_size , RTAPI_GFP_KERNEL );
21582170 if (!* pmbccb ) {
@@ -2207,6 +2219,13 @@ static ssize_t read_mbccb(const hm2_modbus_inst_t *inst, const char *fname, hm2_
22072219
22082220 ssize_t fsize = fp -> f_inode -> i_size ; // File's inode file size
22092221
2222+ // Limit the mbccb file to a sane size
2223+ if (fsize > MBCCB_SIZE_MAX ) {
2224+ MSG_ERR ("%s: error: Mbccb file '%s' too large (%zd > %d bytes)\n" , inst -> name , fname , fsize , MBCCB_SIZE_MAX );
2225+ filp_close (fp , NULL );
2226+ return - EFBIG ;
2227+ }
2228+
22102229 // Allocate memory
22112230 * pmbccb = rtapi_kzalloc (fsize , RTAPI_GFP_KERNEL );
22122231 if (!* pmbccb ) {
0 commit comments