The rpcb_getport_async in the sunrpc module copies larger memory area than
the allocated. Because of this problem, NFS users might encounter oops.
This problem only exists in 2.6.24.y.
It is fixed in 2.6.25 by the commit 86d61d8638ddf9cdf87df26c7fa69b2804425fbe.
Regards,
HIRANO Takahito
Cc: stable@xxxxxxxxxx,
linux-nfs@xxxxxxxxxxxxxxx
Signed-off-by: HIRANO Takahito <hiranotaka@xxxxxxxx>
---
net/sunrpc/rpcb_clnt.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c
index a05493a..4d939a6 100644
--- a/net/sunrpc/rpcb_clnt.c
+++ b/net/sunrpc/rpcb_clnt.c
@@ -113,7 +113,7 @@ struct rpcbind_args {
u32 r_prot;
unsigned short r_port;
char * r_netid;
- char r_addr[RPCB_MAXADDRLEN];
+ const char * r_addr;
char * r_owner;
};
@@ -390,9 +390,7 @@ void rpcb_getport_async(struct rpc_task *task)
map->r_port = 0;
map->r_xprt = xprt_get(xprt);
map->r_netid = rpc_peeraddr2str(clnt, RPC_DISPLAY_NETID);
- memcpy(map->r_addr,
- rpc_peeraddr2str(rpcb_clnt, RPC_DISPLAY_UNIVERSAL_ADDR),
- sizeof(map->r_addr));
+ map->r_addr = rpc_peeraddr2str(rpcb_clnt, RPC_DISPLAY_UNIVERSAL_ADDR);
map->r_owner = RPCB_OWNER_STRING; /* ignored for GETADDR */
child = rpc_run_task(rpcb_clnt, RPC_TASK_ASYNC, &rpcb_getport_ops, map);
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
