From 84986ca024462058574432b5483f4bf9136c538d Mon Sep 17 00:00:00 2001
From: Sascha Hauer <s.hauer@pengutronix.de>
Date: Mon, 2 Sep 2019 09:42:15 +0200
Subject: net: nfs: Fix possible buffer overflow

nfs_readlink_reply() interprets a 32bit value directly received from the
network as length argument to memcpy() without any boundary checking.
Clamp the copy size at the end of the incoming packet.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 net/nfs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'net/nfs.c')

diff --git a/net/nfs.c b/net/nfs.c
index 0a3021994a..63573098d7 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -502,7 +502,7 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
 {
 	uint32_t *data;
 	char *path;
-	int rlen;
+	unsigned int rlen;
 	int ret;
 
 	ret = rpc_check_reply(pkt, 1);
@@ -515,6 +515,9 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
 
 	rlen = ntohl(net_read_uint32(data)); /* new path length */
 
+	rlen = max_t(unsigned int, rlen,
+		     len - sizeof(struct rpc_reply) - sizeof(uint32_t));
+
 	data++;
 	path = (char *)data;
 
-- 
cgit v1.2.3