Gitiles
Code Review Sign In
review.evervolv.com / android_kernel_htc_msm8960 / 58fcb8df0bf663bb6b8f46cd3010bfe8d13d97cf^! / .
commit58fcb8df0bf663bb6b8f46cd3010bfe8d13d97cf[log] [tgz]
authorTrond Myklebust <Trond.Myklebust@netapp.com>Wed Aug 10 18:15:12 2005 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>Tue Aug 16 08:52:11 2005 -0700
tree24edbecfb5875cf6c602b1fd5126c7dfce9ae127
parent75cd968ab251ac84dd3a5dc252af7036dc4a64f4 [diff]
[PATCH] NFS: Ensure ACL xdr code doesn't overflow.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
index 18c58c3..251e5a1 100644
--- a/fs/nfs_common/nfsacl.c
+++ b/fs/nfs_common/nfsacl.c

@@ -239,6 +239,7 @@
 	if (xdr_decode_word(buf, base, &entries) ||
 	    entries > NFS_ACL_MAX_ENTRIES)
 		return -EINVAL;
+	nfsacl_desc.desc.array_maxlen = entries;
 	err = xdr_decode_array2(buf, base + 4, &nfsacl_desc.desc);
 	if (err)
 		return err;

diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
index 34ec3e8..23448d0 100644
--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h

@@ -177,6 +177,7 @@
 struct xdr_array2_desc {
 	unsigned int elem_size;
 	unsigned int array_len;
+	unsigned int array_maxlen;
 	xdr_xcode_elem_t xcode;
 };
 

diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 8a4d9c1..fde16f4 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c

@@ -993,6 +993,7 @@
 			return -EINVAL;
 	} else {
 		if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
+		    desc->array_len > desc->array_maxlen ||
 		    (unsigned long) base + 4 + desc->array_len *
 				    desc->elem_size > buf->len)
 			return -EINVAL;