Commit 9c99b463 typecast an uint into a int
to fix a Coverity warning. Potentially this
could cause a very large rogue value to be
negative allow the rouge value to index into
a table causing corruption.
A check has been added to detect this type
of situation.
Signed-off-by: Steve Dickson <steved@xxxxxxxxxx>
---
support/nfs/rpcdispatch.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/support/nfs/rpcdispatch.c b/support/nfs/rpcdispatch.c
index f7c27c98..7329f419 100644
--- a/support/nfs/rpcdispatch.c
+++ b/support/nfs/rpcdispatch.c
@@ -26,12 +26,13 @@ rpc_dispatch(struct svc_req *rqstp, SVCXPRT *transp,
void *argp, void *resp)
{
struct rpc_dentry *dent;
+ int rq_vers = (int)rqstp->rq_vers;
- if (((int)rqstp->rq_vers) > nvers) {
+ if (rq_vers < 1 || rq_vers > nvers) {
svcerr_progvers(transp, 1, nvers);
return;
}
- dtable += (rqstp->rq_vers - 1);
+ dtable += (rq_vers - 1);
if (rqstp->rq_proc > dtable->nproc) {
svcerr_noproc(transp);
return;
--
2.34.1
