On 2/24/22 2:06 PM, Steve Dickson wrote:
Commit 9c99b463 typecast an uint into a int to fix a Coverity warning. Potentially this could cause a very large rogue value to be negative allow the rouge value to index into a table causing corruption. A check has been added to detect this type of situation. Signed-off-by: Steve Dickson <steved@xxxxxxxxxx>
Committed... (tag: nfs-utils-2-6-2-rc3) With the addition of Reported-by: Richard Weinberger <richard@xxxxxx> steved.
--- support/nfs/rpcdispatch.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/support/nfs/rpcdispatch.c b/support/nfs/rpcdispatch.c index f7c27c98..7329f419 100644 --- a/support/nfs/rpcdispatch.c +++ b/support/nfs/rpcdispatch.c @@ -26,12 +26,13 @@ rpc_dispatch(struct svc_req *rqstp, SVCXPRT *transp, void *argp, void *resp) { struct rpc_dentry *dent; + int rq_vers = (int)rqstp->rq_vers;- if (((int)rqstp->rq_vers) > nvers) {+ if (rq_vers < 1 || rq_vers > nvers) { svcerr_progvers(transp, 1, nvers); return; } - dtable += (rqstp->rq_vers - 1); + dtable += (rq_vers - 1); if (rqstp->rq_proc > dtable->nproc) { svcerr_noproc(transp); return;
