diff options
| author | J. Bruce Fields <bfields@citi.umich.edu> | 2008-08-29 19:18:45 -0400 |
|---|---|---|
| committer | J. Bruce Fields <bfields@citi.umich.edu> | 2008-09-01 14:24:24 -0400 |
| commit | 91b80969ba466ba4b915a4a1d03add8c297add3f (patch) | |
| tree | 2e35e071d4faa5a57ab6ed4d74cd3ef686e1ba91 /fs | |
| parent | 27df6f25ff218072e0e879a96beeb398a79cdbc8 (diff) | |
nfsd: fix buffer overrun decoding NFSv4 acl
The array we kmalloc() here is not large enough.
Thanks to Johann Dahm and David Richter for bug report and testing.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Cc: David Richter <richterd@citi.umich.edu>
Tested-by: Johann Dahm <jdahm@umich.edu>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/nfsd/nfs4acl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c index b6ed38380ab8..54b8b4140c8f 100644 --- a/fs/nfsd/nfs4acl.c +++ b/fs/nfsd/nfs4acl.c | |||
| @@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt) | |||
| 443 | * enough space for either: | 443 | * enough space for either: |
| 444 | */ | 444 | */ |
| 445 | alloc = sizeof(struct posix_ace_state_array) | 445 | alloc = sizeof(struct posix_ace_state_array) |
| 446 | + cnt*sizeof(struct posix_ace_state); | 446 | + cnt*sizeof(struct posix_user_ace_state); |
| 447 | state->users = kzalloc(alloc, GFP_KERNEL); | 447 | state->users = kzalloc(alloc, GFP_KERNEL); |
| 448 | if (!state->users) | 448 | if (!state->users) |
| 449 | return -ENOMEM; | 449 | return -ENOMEM; |