tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[PATCH] NFS: Ensure ACL xdr code doesn't overflow.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by

Trond Myklebust and committed by
Linus Torvalds 58fcb8df 75cd968a

+3
+1
fs/nfs_common/nfsacl.c
··· 239 239 if (xdr_decode_word(buf, base, &entries) || 240 240 entries > NFS_ACL_MAX_ENTRIES) 241 241 return -EINVAL; 242 + nfsacl_desc.desc.array_maxlen = entries; 242 243 err = xdr_decode_array2(buf, base + 4, &nfsacl_desc.desc); 243 244 if (err) 244 245 return err;
+1
include/linux/sunrpc/xdr.h
··· 177 177 struct xdr_array2_desc { 178 178 unsigned int elem_size; 179 179 unsigned int array_len; 180 + unsigned int array_maxlen; 180 181 xdr_xcode_elem_t xcode; 181 182 }; 182 183
+1
net/sunrpc/xdr.c
··· 993 993 return -EINVAL; 994 994 } else { 995 995 if (xdr_decode_word(buf, base, &desc->array_len) != 0 || 996 + desc->array_len > desc->array_maxlen || 996 997 (unsigned long) base + 4 + desc->array_len * 997 998 desc->elem_size > buf->len) 998 999 return -EINVAL;