lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[PATCH] NFS: Ensure ACL xdr code doesn't overflow.

Browse Source 
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
Trond Myklebust
2005-08-10 18:15:12 -04:00
committed by Linus Torvalds
parent 75cd968ab2
commit 58fcb8df0b
3 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
fs/nfs_common/nfsacl.c
View File

@@ -239,6 +239,7 @@ nfsacl_decode(struct xdr_buf *buf, unsigned int base, unsigned int *aclcnt,
if (xdr_decode_word(buf, base, &entries) || if (xdr_decode_word(buf, base, &entries) ||
entries > NFS_ACL_MAX_ENTRIES) entries > NFS_ACL_MAX_ENTRIES)
return -EINVAL; return -EINVAL;
nfsacl_desc.desc.array_maxlen = entries;
err = xdr_decode_array2(buf, base + 4, &nfsacl_desc.desc); err = xdr_decode_array2(buf, base + 4, &nfsacl_desc.desc);
if (err) if (err)
return err; return err;

1
include/linux/sunrpc/xdr.h
View File

@@ -177,6 +177,7 @@ typedef int (*xdr_xcode_elem_t)(struct xdr_array2_desc *desc, void *elem);
struct xdr_array2_desc { struct xdr_array2_desc {
unsigned int elem_size; unsigned int elem_size;
unsigned int array_len; unsigned int array_len;
unsigned int array_maxlen;
xdr_xcode_elem_t xcode; xdr_xcode_elem_t xcode;
}; };

1
net/sunrpc/xdr.c
View File

@@ -993,6 +993,7 @@ xdr_xcode_array2(struct xdr_buf *buf, unsigned int base,
return -EINVAL; return -EINVAL;
} else { } else {
if (xdr_decode_word(buf, base, &desc->array_len) != 0 || if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
desc->array_len > desc->array_maxlen ||
(unsigned long) base + 4 + desc->array_len * (unsigned long) base + 4 + desc->array_len *
desc->elem_size > buf->len) desc->elem_size > buf->len)
return -EINVAL; return -EINVAL;