[PATCH 1/2] net: nfs: Fix possible buffer overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



nfs_readlink_reply() interprets a 32bit value directly received from the
network as length argument to memcpy() without any boundary checking.
Clamp the copy size at the end of the incoming packet.

Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
---
 net/nfs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/nfs.c b/net/nfs.c
index 0a3021994a..63573098d7 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -502,7 +502,7 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
 {
 	uint32_t *data;
 	char *path;
-	int rlen;
+	unsigned int rlen;
 	int ret;
 
 	ret = rpc_check_reply(pkt, 1);
@@ -515,6 +515,9 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
 
 	rlen = ntohl(net_read_uint32(data)); /* new path length */
 
+	rlen = max_t(unsigned int, rlen,
+		     len - sizeof(struct rpc_reply) - sizeof(uint32_t));
+
 	data++;
 	path = (char *)data;
 
-- 
2.23.0


_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox



[Index of Archives]     [Linux Embedded]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux