aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2006-08-24 15:44:19 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2006-08-24 15:53:34 -0400
commite8896495bca8490a427409e0886d63d05419ec65 (patch)
treeb402c7c7a868501e3c6dbcf1874ead3368152ea4 /net
parent3cedf13af9f7e61aca0dbbd11b601ac93bf93a9f (diff)
NFS: Check lengths more thoroughly in NFS4 readdir XDR decode
Check the bounds of length specifiers more thoroughly in the XDR decoding of NFS4 readdir reply data. Currently, if the server returns a bitmap or attr length that causes the current decode point pointer to wrap, this could go undetected (consider a small "negative" length on a 32-bit machine). Also add a check into the main XDR decode handler to make sure that the amount of data is a multiple of four bytes (as specified by RFC-1014). This makes sure that we can do u32* pointer subtraction in the NFS client without risking an undefined result (the result is undefined if the pointers are not correctly aligned with respect to one another). Signed-Off-By: David Howells <dhowells@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> (cherry picked from 5861fddd64a7eaf7e8b1a9997455a24e7f688092 commit)
Diffstat (limited to 'net')
-rw-r--r--net/sunrpc/clnt.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index d9eac7069101..3e19d321067a 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1181,6 +1181,17 @@ call_verify(struct rpc_task *task)
1181 u32 *p = iov->iov_base, n; 1181 u32 *p = iov->iov_base, n;
1182 int error = -EACCES; 1182 int error = -EACCES;
1183 1183
1184 if ((task->tk_rqstp->rq_rcv_buf.len & 3) != 0) {
1185 /* RFC-1014 says that the representation of XDR data must be a
1186 * multiple of four bytes
1187 * - if it isn't pointer subtraction in the NFS client may give
1188 * undefined results
1189 */
1190 printk(KERN_WARNING
1191 "call_verify: XDR representation not a multiple of"
1192 " 4 bytes: 0x%x\n", task->tk_rqstp->rq_rcv_buf.len);
1193 goto out_eio;
1194 }
1184 if ((len -= 3) < 0) 1195 if ((len -= 3) < 0)
1185 goto out_overflow; 1196 goto out_overflow;
1186 p += 1; /* skip XID */ 1197 p += 1; /* skip XID */