• J. Bruce Fields's avatar
    nfsd4: fix bad bounds checking · c3a74fac
    J. Bruce Fields authored
    commit 4aed9c46 upstream.
    
    A number of spots in the xdr decoding follow a pattern like
    
    	n = be32_to_cpup(p++);
    	READ_BUF(n + 4);
    
    where n is a u32.  The only bounds checking is done in READ_BUF itself,
    but since it's checking (n + 4), it won't catch cases where n is very
    large, (u32)(-4) or higher.  I'm not sure exactly what the consequences
    are, but we've seen crashes soon after.
    
    Instead, just break these up into two READ_BUF()s.
    Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    c3a74fac
nfs4xdr.c 103 KB