Gitiles
Code Review Sign In
android-review.linaro.org / kernel / hikey-linaro / 4aed9c46afb80164401143aa0fdcfe3798baa9d5
commit4aed9c46afb80164401143aa0fdcfe3798baa9d5[log] [tgz]
authorJ. Bruce Fields <bfields@redhat.com>Mon Feb 29 20:21:21 2016 -0500
committerJ. Bruce Fields <bfields@redhat.com>Tue Mar 01 13:02:57 2016 -0800
treefa0cae60a7a74660937630b60e4c255774777a85
parentb7052cd7bcf3c1478796e93e3dff2b44c9e82943 [diff]
nfsd4: fix bad bounds checking

A number of spots in the xdr decoding follow a pattern like

	n = be32_to_cpup(p++);
	READ_BUF(n + 4);

where n is a u32.  The only bounds checking is done in READ_BUF itself,
but since it's checking (n + 4), it won't catch cases where n is very
large, (u32)(-4) or higher.  I'm not sure exactly what the consequences
are, but we've seen crashes soon after.

Instead, just break these up into two READ_BUF()s.

Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
1 file changed
tree: fa0cae60a7a74660937630b60e4c255774777a85
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .get_maintainer.ignore
  24. .gitignore
  25. .mailmap
  26. COPYING
  27. CREDITS
  28. Kbuild
  29. Kconfig
  30. MAINTAINERS
  31. Makefile
  32. README
  33. REPORTING-BUGS