diff options
| author | Sachin Prabhu <sprabhu@redhat.com> | 2012-03-22 12:46:28 -0400 |
|---|---|---|
| committer | Luis Henriques <luis.henriques@canonical.com> | 2012-06-12 05:59:09 -0400 |
| commit | ccfff9a555b222adc890db9a08679070e1558a1d (patch) | |
| tree | c325c081006de2e9bb9ae8e70f0403109e5c7298 /fs | |
| parent | 87a8d424eb49b57af410d33a10fef7bb221de88b (diff) | |
Fix length of buffer copied in __nfs4_get_acl_uncached
BugLink: http://bugs.launchpad.net/bugs/1002505
CVE-2012-2375
_copy_from_pages() used to copy data from the temporary buffer to the
user passed buffer is passed the wrong size parameter when copying
data. res.acl_len contains both the bitmap and acl lenghts while
acl_len contains the acl length after adjusting for the bitmap size.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
(cherry picked from commit 20e0fa98b751facf9a1101edaefbc19c82616a68)
Signed-off-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Herton Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/nfs/nfs4proc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 28dc044dc8f..0cfb9a6d1a8 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c | |||
| @@ -3609,7 +3609,7 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu | |||
| 3609 | if (acl_len > buflen) | 3609 | if (acl_len > buflen) |
| 3610 | goto out_free; | 3610 | goto out_free; |
| 3611 | _copy_from_pages(buf, pages, res.acl_data_offset, | 3611 | _copy_from_pages(buf, pages, res.acl_data_offset, |
| 3612 | res.acl_len); | 3612 | acl_len); |
| 3613 | } | 3613 | } |
| 3614 | ret = acl_len; | 3614 | ret = acl_len; |
| 3615 | out_free: | 3615 | out_free: |