diff options
| author | Sascha Hauer <s.hauer@pengutronix.de> | 2019-09-02 09:42:15 +0200 |
|---|---|---|
| committer | Sascha Hauer <s.hauer@pengutronix.de> | 2019-09-02 09:42:45 +0200 |
| commit | 84986ca024462058574432b5483f4bf9136c538d (patch) | |
| tree | aa618622e32e209fbe66fabaa95780e322cfb343 | |
| parent | 3dc45020a9dd75af628bc0eca07465b2a4c7378f (diff) | |
| download | barebox-84986ca024462058574432b5483f4bf9136c538d.tar.gz barebox-84986ca024462058574432b5483f4bf9136c538d.tar.xz | |
net: nfs: Fix possible buffer overflow
nfs_readlink_reply() interprets a 32bit value directly received from the
network as length argument to memcpy() without any boundary checking.
Clamp the copy size at the end of the incoming packet.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
| -rw-r--r-- | net/nfs.c | 5 |
1 files changed, 4 insertions, 1 deletions
@@ -502,7 +502,7 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len) { uint32_t *data; char *path; - int rlen; + unsigned int rlen; int ret; ret = rpc_check_reply(pkt, 1); @@ -515,6 +515,9 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len) rlen = ntohl(net_read_uint32(data)); /* new path length */ + rlen = max_t(unsigned int, rlen, + len - sizeof(struct rpc_reply) - sizeof(uint32_t)); + data++; path = (char *)data; |