From 574ce994016107ad8ab0f845a785f28d7eaa5208 Mon Sep 17 00:00:00 2001
From: Sascha Hauer <s.hauer@pengutronix.de>
Date: Mon, 2 Sep 2019 09:42:15 +0200
Subject: fs: nfs: Fix possible buffer overflow

nfs_readlink_req() interprets a 32bit value directly received from the
network as length argument to memcpy() without any boundary checking.
Clamp the copy size at the end of the incoming packet.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 fs/nfs.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'fs/nfs.c')

diff --git a/fs/nfs.c b/fs/nfs.c
index d606ccd1e9..0ad07aa3f2 100644
--- a/fs/nfs.c
+++ b/fs/nfs.c
@@ -1023,6 +1023,10 @@ static int nfs_readlink_req(struct nfs_priv *npriv, struct nfs_fh *fh,
 	p = nfs_read_post_op_attr(p, NULL);
 
 	len = ntoh32(net_read_uint32(p)); /* new path length */
+
+	len = max_t(unsigned int, len,
+		    nfs_packet->len - sizeof(struct rpc_reply) - sizeof(uint32_t));
+
 	p++;
 
 	*target = xzalloc(len + 1);
-- 
cgit v1.2.3