首頁 探索 說明
註冊 登入
phyus
/
linux-vybrid_public
8
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
瀏覽代碼

NFSv4: Check for buffer length in __nfs4_get_acl_uncached

Commit 1f1ea6c "NFSv4: Fix buffer overflow checking in
__nfs4_get_acl_uncached" accidently dropped the checking for too small
result buffer length.

If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount
supporting ACLs, the ACL has not been cached and the buffer suplied is
too short, we still copy the complete ACL, resulting in kernel and user
space memory corruption.

Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Cc: stable@kernel.org
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Sven Wegener 12 年之前
父節點
4c10021008
當前提交
7d3e91a89b
共有 1 個文件被更改,包括 6 次插入1 次删除
分割檢視 顯示文件統計
  1. 6 1
      fs/nfs/nfs4proc.c

+ 6 - 1
fs/nfs/nfs4proc.c
查看文件 

@@ -3937,8 +3937,13 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
 
 		goto out_free;
 
 	}
 
 	nfs4_write_cached_acl(inode, pages, res.acl_data_offset, res.acl_len);
 
-	if (buf)
 
+	if (buf) {
 
+		if (res.acl_len > buflen) {
 
+			ret = -ERANGE;
 
+			goto out_free;
 
+		}
 
 		_copy_from_pages(buf, pages, res.acl_data_offset, res.acl_len);
 
+	}
 
 out_ok:
 
 	ret = res.acl_len;
 
 out_free: