[PATCH 2/2] fs: nfs: Fix possible buffer overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



nfs_readlink_req() interprets a 32bit value directly received from the
network as length argument to memcpy() without any boundary checking.
Clamp the copy size at the end of the incoming packet.

Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
---
 fs/nfs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/nfs.c b/fs/nfs.c
index d606ccd1e9..0ad07aa3f2 100644
--- a/fs/nfs.c
+++ b/fs/nfs.c
@@ -1023,6 +1023,10 @@ static int nfs_readlink_req(struct nfs_priv *npriv, struct nfs_fh *fh,
 	p = nfs_read_post_op_attr(p, NULL);
 
 	len = ntoh32(net_read_uint32(p)); /* new path length */
+
+	len = max_t(unsigned int, len,
+		    nfs_packet->len - sizeof(struct rpc_reply) - sizeof(uint32_t));
+
 	p++;
 
 	*target = xzalloc(len + 1);
-- 
2.23.0


_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox



[Index of Archives]     [Linux Embedded]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux