[PATCH] nfsd: prevent integer overflow in decode_cb_compound4res()

From: Dan Carpenter
Date: Mon Sep 16 2024 - 11:14:33 EST

Next message: Frank Li: "Re: [PATCH v3 03/11] i3c: master: Extend address status bit to 4 and add I3C_ADDR_SLOT_EXT_INIT"
Previous message: Frank Li: "Re: [PATCH V5 1/2] i3c: master: support to adjust first broadcast address speed"
Next in thread: Chuck Lever: "Re: [PATCH] nfsd: prevent integer overflow in decode_cb_compound4res()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If "length" is >= U32_MAX - 3 then the "length + 4" addition can result
in an integer overflow. The impact of this bug is not totally clear to
me, but it's safer to not allow the integer overflow.

There is also some math in xdr_inline_decode() which could overflow, so
really it's ">= U32_MAX - 7" which is problematic. Let's just check
against INT_MAX and make it easy.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
fs/nfsd/nfs4callback.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index 43b8320c8255..12b44c9246d1 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -317,6 +317,8 @@ static int decode_cb_compound4res(struct xdr_stream *xdr,
hdr->status = be32_to_cpup(p++);
/* Ignore the tag */
length = be32_to_cpup(p++);
+ if (unlikely(length > INT_MAX))
+ goto out_overflow;
p = xdr_inline_decode(xdr, length + 4);
if (unlikely(p == NULL))
goto out_overflow;
--
2.45.2

Next message: Frank Li: "Re: [PATCH v3 03/11] i3c: master: Extend address status bit to 4 and add I3C_ADDR_SLOT_EXT_INIT"
Previous message: Frank Li: "Re: [PATCH V5 1/2] i3c: master: support to adjust first broadcast address speed"
Next in thread: Chuck Lever: "Re: [PATCH] nfsd: prevent integer overflow in decode_cb_compound4res()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]