summaryrefslogtreecommitdiffstats
path: root/net/nfs.c
diff options
context:
space:
mode:
authorSascha Hauer <s.hauer@pengutronix.de>2019-09-02 09:42:15 +0200
committerSascha Hauer <s.hauer@pengutronix.de>2019-09-02 09:42:45 +0200
commit84986ca024462058574432b5483f4bf9136c538d (patch)
treeaa618622e32e209fbe66fabaa95780e322cfb343 /net/nfs.c
parent3dc45020a9dd75af628bc0eca07465b2a4c7378f (diff)
net: nfs: Fix possible buffer overflow
nfs_readlink_reply() interprets a 32bit value directly received from the network as length argument to memcpy() without any boundary checking. Clamp the copy size at the end of the incoming packet. Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'net/nfs.c')
-rw-r--r--net/nfs.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/net/nfs.c b/net/nfs.c
index 0a30219..6357309 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -502,7 +502,7 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
{
uint32_t *data;
char *path;
- int rlen;
+ unsigned int rlen;
int ret;
ret = rpc_check_reply(pkt, 1);
@@ -515,6 +515,9 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
rlen = ntohl(net_read_uint32(data)); /* new path length */
+ rlen = max_t(unsigned int, rlen,
+ len - sizeof(struct rpc_reply) - sizeof(uint32_t));
+
data++;
path = (char *)data;