[PATCH] NFS: Ensure ACL xdr code doesn't overflow.

Signed-off-by: N Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: N Linus Torvalds <torvalds@osdl.org>

[PATCH] NFS: Ensure ACL xdr code doesn't overflow.
Signed-off-by: N Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: N Linus Torvalds <torvalds@osdl.org>
58fcb8df · Trond Myklebust · Linus Torvalds · 75cd968a · 58fcb8df · 58fcb8df
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

fs/nfs_common/nfsacl.c fs/nfs_common/nfsacl.c +1 -0

include/linux/sunrpc/xdr.h include/linux/sunrpc/xdr.h +1 -0

net/sunrpc/xdr.c net/sunrpc/xdr.c +1 -0

未找到文件。
--- a/fs/nfs_common/nfsacl.c
+++ b/fs/nfs_common/nfsacl.c
@@ -239,6 +239,7 @@ nfsacl_decode(struct xdr_buf *buf, unsigned int base, unsigned int *aclcnt,
 	if (xdr_decode_word(buf, base, &entries) ||
 	    entries > NFS_ACL_MAX_ENTRIES)
 		return -EINVAL;
+	nfsacl_desc.desc.array_maxlen = entries;
 	err = xdr_decode_array2(buf, base + 4, &nfsacl_desc.desc);
 	if (err)
 		return err;

--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h
@@ -177,6 +177,7 @@ typedef int (*xdr_xcode_elem_t)(struct xdr_array2_desc *desc, void *elem);
 struct xdr_array2_desc {
 	unsigned int elem_size;
 	unsigned int array_len;
+	unsigned int array_maxlen;
 	xdr_xcode_elem_t xcode;
 };


--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -993,6 +993,7 @@ xdr_xcode_array2(struct xdr_buf *buf, unsigned int base,
 			return -EINVAL;
 	} else {
 		if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
+		    desc->array_len > desc->array_maxlen ||
 		    (unsigned long) base + 4 + desc->array_len *
 				    desc->elem_size > buf->len)
 			return -EINVAL;