nfsd4: reject "negative" acl lengths · 64a817cfbd - Gogs

nfsd4: reject "negative" acl lengths

Since we only enforce an upper bound, not a lower bound, a "negative"
length can get through here.

The symptom seen was a warning when we attempt to a kmalloc with an
excessive size.

Reported-by: Toralf Förster <toralf.foerster@gmx.de>
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>

J. Bruce Fields 12 years ago

parent

e49dbbf3e7

commit

64a817cfbd

1 changed files with 1 additions and 1 deletions

Split View Show Diff Stats

						
							+ 1
							
							- 1
						
fs/nfsd/nfs4xdr.c
							 
								View File
							
				@@ -264,7 +264,7 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
			
				 		iattr->ia_valid |= ATTR_SIZE;
			
				 	}
			
				 	if (bmval[0] & FATTR4_WORD0_ACL) {
			
				-		int nace;
			
				+		u32 nace;
			
				 		struct nfs4_ace *ace;
			
				 		READ_BUF(4); len += 4;