[patch v2] sunrpc: integer underflow in rsc_parse()

From: Dan Carpenter
Date: Tue Feb 24 2015 - 10:34:35 EST

Next message: Michal Marek: "[PATCH 1/3] kconfig: Get rid of the P() macro in headers"
Previous message: Steven Rostedt: "Re: RFC: revert 43fa5460fe60"
Next in thread: Simo Sorce: "Re: [patch v2] sunrpc: integer underflow in rsc_parse()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If we call groups_alloc() with invalid values then it's might lead to
memory corruption. For example, with a negative value then we might not
allocate enough for sizeof(struct group_info).

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
v2: In v1, I changed groups_alloc(). The other places which call
groups_alloc() check the value before calling. Eric wanted that, either
have all the callers check, or all the callers rely on groups_alloc().
In the end, Bruce Fields said adding the check here was probably
reasonable.

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 224a82f..1095be9 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -463,6 +463,8 @@ static int rsc_parse(struct cache_detail *cd,
/* number of additional gid's */
if (get_int(&mesg, &N))
goto out;
+ if (N < 0 || N > NGROUPS_MAX)
+ goto out;
status = -ENOMEM;
rsci.cred.cr_group_info = groups_alloc(N);
if (rsci.cred.cr_group_info == NULL)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Michal Marek: "[PATCH 1/3] kconfig: Get rid of the P() macro in headers"
Previous message: Steven Rostedt: "Re: RFC: revert 43fa5460fe60"
Next in thread: Simo Sorce: "Re: [patch v2] sunrpc: integer underflow in rsc_parse()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]