Re: [PATCH] nfsd: wrong index used in inner loop

From: Andrew Morton
Date: Wed Mar 09 2011 - 18:42:46 EST


On Tue, 08 Mar 2011 22:32:26 +0100
roel <roel.kluin@xxxxxxxxx> wrote:

> Index i was already used in the outer loop
>
> Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx>
> ---
> fs/nfsd/nfs4xdr.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> Not 100% sure this one is needed but it looks suspicious.
>
> diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
> index 1275b86..615f0a9 100644
> --- a/fs/nfsd/nfs4xdr.c
> +++ b/fs/nfsd/nfs4xdr.c
> @@ -1142,7 +1142,7 @@ nfsd4_decode_create_session(struct nfsd4_compoundargs *argp,
>
> u32 dummy;
> char *machine_name;
> - int i;
> + int i, j;
> int nr_secflavs;
>
> READ_BUF(16);
> @@ -1215,7 +1215,7 @@ nfsd4_decode_create_session(struct nfsd4_compoundargs *argp,
> READ_BUF(4);
> READ32(dummy);
> READ_BUF(dummy * 4);
> - for (i = 0; i < dummy; ++i)
> + for (j = 0; j < dummy; ++j)
> READ32(dummy);
> break;
> case RPC_AUTH_GSS:

ooh, big bug.

I wonder why it was not previously detected at runtime. Perhaps
nr_secflavs is always 1.

afacit this bug will allow a well-crafted packet to cause an
infinite-until-it-oopses loop in the kernel.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/