On a 32 bit system, the "len * sizeof(*p)" operation can have an
integer overflow.
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
It's hard to pick a Fixes tag for this... The temptation is to say:
Fixes: 37c88763def8 ("NFSv4; Clean up XDR encoding of type bitmap4")
But there were integer overflows in the code before that as well.
include/linux/sunrpc/xdr.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
index b519609af1d0..61b92e6b9813 100644
--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h
@@ -731,6 +731,8 @@ xdr_stream_decode_uint32_array(struct xdr_stream *xdr,
if (unlikely(xdr_stream_decode_u32(xdr, &len) < 0))
return -EBADMSG;
+ if (len > ULONG_MAX / sizeof(*p))
+ return -EBADMSG;
p = xdr_inline_decode(xdr, len * sizeof(*p));
if (unlikely(!p))
return -EBADMSG;
--
2.20.1
