[PATCH] nfs4-acl-tools: when who's length is very big, nfs4_getacl core dump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



nfsv4 server can return a very large who's len(eg. wholen = 62343534343) 
in an FATTR4_WORD0_ACL request.It can cause nfs4_getacl core dump 
when call 'malloc((wholen + 1) * sizeof(char))'.

 This patch checked if who's len bigger than xattr_size when getfacl.

 This patch also fixed some code style.

Signed-off-by: Fan Chaoting <fanchaoting@xxxxxxxxxxxxxx>
---
 libnfs4acl/acl_nfs4_xattr_load.c |    6 ++++++
 libnfs4acl/nfs4_acl_for_path.c   |    8 ++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/libnfs4acl/acl_nfs4_xattr_load.c b/libnfs4acl/acl_nfs4_xattr_load.c
index 089a139..ced1c95 100644
--- a/libnfs4acl/acl_nfs4_xattr_load.c
+++ b/libnfs4acl/acl_nfs4_xattr_load.c
@@ -139,6 +139,12 @@ struct nfs4_acl * acl_nfs4_xattr_load(char *xattr_v, int xattr_size, u32 is_dir)
 			goto err1;
 		}
 
+		/*wholen should less than xattr_size*/
+		if (wholen > xattr_size) {
+			errno = EINVAL;
+			goto err1;
+		}
+
 		who = (char *) malloc((wholen+1) * sizeof(char));
 		if (who == NULL) {
 			errno = ENOMEM;
diff --git a/libnfs4acl/nfs4_acl_for_path.c b/libnfs4acl/nfs4_acl_for_path.c
index 7461005..577dd1f 100644
--- a/libnfs4acl/nfs4_acl_for_path.c
+++ b/libnfs4acl/nfs4_acl_for_path.c
@@ -92,14 +92,14 @@ static int nfs4_getxattr(const char *path, void *value, size_t size)
 
 	res = getxattr(path, ACL_NFS4_XATTR, value, size);
 	if (res < -10000) {
-		fprintf(stderr,"An internal NFS server error code (%d) was returned; this should never happen.\n",res);
+		fprintf(stderr, "An internal NFS server error code (%d) was returned; this should never happen.\n", res);
 	} else if (res < 0) {
 		if (errno == ENOATTR)
-			fprintf(stderr,"Attribute not found on file.\n");
+			fprintf(stderr, "Attribute not found on file.\n");
 		else if (errno == EREMOTEIO)
-		    fprintf(stderr,"An NFS server error occurred.\n");
+		    fprintf(stderr, "An NFS server error occurred.\n");
 		else if (errno == EOPNOTSUPP)
-			fprintf(stderr,"Operation to request attribute not supported.\n");
+			fprintf(stderr, "Operation to request attribute not supported.\n");
 		else
 			perror("Failed getxattr operation");
 	}
-- 1.7.1 

--

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux