summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSascha Hauer <s.hauer@pengutronix.de>2019-09-02 09:42:15 +0200
committerSascha Hauer <s.hauer@pengutronix.de>2019-09-02 09:46:14 +0200
commit574ce994016107ad8ab0f845a785f28d7eaa5208 (patch)
treee818867ab42c04710977a613d5865e5078fb7c5a
parent84986ca024462058574432b5483f4bf9136c538d (diff)
downloadbarebox-574ce994016107ad8ab0f845a785f28d7eaa5208.tar.gz
barebox-574ce994016107ad8ab0f845a785f28d7eaa5208.tar.xz
fs: nfs: Fix possible buffer overflow
nfs_readlink_req() interprets a 32bit value directly received from the network as length argument to memcpy() without any boundary checking. Clamp the copy size at the end of the incoming packet. Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
-rw-r--r--fs/nfs.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/nfs.c b/fs/nfs.c
index d606ccd1e9..0ad07aa3f2 100644
--- a/fs/nfs.c
+++ b/fs/nfs.c
@@ -1023,6 +1023,10 @@ static int nfs_readlink_req(struct nfs_priv *npriv, struct nfs_fh *fh,
p = nfs_read_post_op_attr(p, NULL);
len = ntoh32(net_read_uint32(p)); /* new path length */
+
+ len = max_t(unsigned int, len,
+ nfs_packet->len - sizeof(struct rpc_reply) - sizeof(uint32_t));
+
p++;
*target = xzalloc(len + 1);