nfsd: fix buffer overrun decoding NFSv4 acl

The array we kmalloc() here is not large enough. Thanks to Johann Dahm and David Richter for bug report and testing. Signed-off-by: N J. Bruce Fields <bfields@citi.umich.edu> Cc: David Richter <richterd@citi.umich.edu> Tested-by: N Johann Dahm <jdahm@umich.edu>

nfsd: fix buffer overrun decoding NFSv4 acl
The array we kmalloc() here is not large enough. Thanks to Johann Dahm and David Richter for bug report and testing. Signed-off-by: N J. Bruce Fields <bfields@citi.umich.edu> Cc: David Richter <richterd@citi.umich.edu> Tested-by: N Johann Dahm <jdahm@umich.edu>
91b80969 · J. Bruce Fields · 27df6f25 · 91b80969
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

fs/nfsd/nfs4acl.c fs/nfsd/nfs4acl.c +1 -1

未找到文件。
--- a/fs/nfsd/nfs4acl.c
+++ b/fs/nfsd/nfs4acl.c
@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt)
 	 * enough space for either:
 	 */
 	alloc = sizeof(struct posix_ace_state_array)
-		+ cnt*sizeof(struct posix_ace_state);
+		+ cnt*sizeof(struct posix_user_ace_state);
 	state->users = kzalloc(alloc, GFP_KERNEL);
 	if (!state->users)
 		return -ENOMEM;