nfsv4 server can return a very large who's len(eg. wholen = 62343534343) in an FATTR4_WORD0_ACL request.It can cause nfs4_getacl core dump when call 'malloc((wholen + 1) * sizeof(char))'. This patch checked if who's len bigger than xattr_size when getfacl. This patch also fixed some code style. Signed-off-by: Fan Chaoting <fanchaoting@xxxxxxxxxxxxxx> --- libnfs4acl/acl_nfs4_xattr_load.c | 6 ++++++ libnfs4acl/nfs4_acl_for_path.c | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/libnfs4acl/acl_nfs4_xattr_load.c b/libnfs4acl/acl_nfs4_xattr_load.c index 089a139..ced1c95 100644 --- a/libnfs4acl/acl_nfs4_xattr_load.c +++ b/libnfs4acl/acl_nfs4_xattr_load.c @@ -139,6 +139,12 @@ struct nfs4_acl * acl_nfs4_xattr_load(char *xattr_v, int xattr_size, u32 is_dir) goto err1; } + /*wholen should less than xattr_size*/ + if (wholen > xattr_size) { + errno = EINVAL; + goto err1; + } + who = (char *) malloc((wholen+1) * sizeof(char)); if (who == NULL) { errno = ENOMEM; diff --git a/libnfs4acl/nfs4_acl_for_path.c b/libnfs4acl/nfs4_acl_for_path.c index 7461005..577dd1f 100644 --- a/libnfs4acl/nfs4_acl_for_path.c +++ b/libnfs4acl/nfs4_acl_for_path.c @@ -92,14 +92,14 @@ static int nfs4_getxattr(const char *path, void *value, size_t size) res = getxattr(path, ACL_NFS4_XATTR, value, size); if (res < -10000) { - fprintf(stderr,"An internal NFS server error code (%d) was returned; this should never happen.\n",res); + fprintf(stderr, "An internal NFS server error code (%d) was returned; this should never happen.\n", res); } else if (res < 0) { if (errno == ENOATTR) - fprintf(stderr,"Attribute not found on file.\n"); + fprintf(stderr, "Attribute not found on file.\n"); else if (errno == EREMOTEIO) - fprintf(stderr,"An NFS server error occurred.\n"); + fprintf(stderr, "An NFS server error occurred.\n"); else if (errno == EOPNOTSUPP) - fprintf(stderr,"Operation to request attribute not supported.\n"); + fprintf(stderr, "Operation to request attribute not supported.\n"); else perror("Failed getxattr operation"); } -- 1.7.1 -- -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html