• J. Bruce Fields's avatar
    nfsd4: fix bad bounds checking · 4aed9c46
    J. Bruce Fields authored
    A number of spots in the xdr decoding follow a pattern like
    
    	n = be32_to_cpup(p++);
    	READ_BUF(n + 4);
    
    where n is a u32.  The only bounds checking is done in READ_BUF itself,
    but since it's checking (n + 4), it won't catch cases where n is very
    large, (u32)(-4) or higher.  I'm not sure exactly what the consequences
    are, but we've seen crashes soon after.
    
    Instead, just break these up into two READ_BUF()s.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    4aed9c46
nfs4xdr.c 113 KB