diff options
author | Sascha Hauer <s.hauer@pengutronix.de> | 2019-09-02 09:42:15 +0200 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2019-09-02 09:46:14 +0200 |
commit | 574ce994016107ad8ab0f845a785f28d7eaa5208 (patch) | |
tree | e818867ab42c04710977a613d5865e5078fb7c5a | |
parent | 84986ca024462058574432b5483f4bf9136c538d (diff) | |
download | barebox-574ce994016107ad8ab0f845a785f28d7eaa5208.tar.gz barebox-574ce994016107ad8ab0f845a785f28d7eaa5208.tar.xz |
fs: nfs: Fix possible buffer overflow
nfs_readlink_req() interprets a 32bit value directly received from the
network as length argument to memcpy() without any boundary checking.
Clamp the copy size at the end of the incoming packet.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
-rw-r--r-- | fs/nfs.c | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -1023,6 +1023,10 @@ static int nfs_readlink_req(struct nfs_priv *npriv, struct nfs_fh *fh, p = nfs_read_post_op_attr(p, NULL); len = ntoh32(net_read_uint32(p)); /* new path length */ + + len = max_t(unsigned int, len, + nfs_packet->len - sizeof(struct rpc_reply) - sizeof(uint32_t)); + p++; *target = xzalloc(len + 1); |