Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays)

From: Florian Weimer
Date: Thu Jun 23 2005 - 00:51:20 EST


* Linux Kernel Mailing List:

> +xdr_xcode_array2(struct xdr_buf *buf, unsigned int base,
> + struct xdr_array2_desc *desc, int encode)
> +{
> + char *elem = NULL, *c;
> + unsigned int copied = 0, todo, avail_here;
> + struct page **ppages = NULL;
> + int err;
> +
> + if (encode) {
> + if (xdr_encode_word(buf, base, desc->array_len) != 0)
> + return -EINVAL;
> + } else {
> + if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
> + (unsigned long) base + 4 + desc->array_len *
> + desc->elem_size > buf->len)
> + return -EINVAL;
> + }

This looks suspiciously like CVE-2002-0391.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/