Skip to content

Commit

Permalink
SUNRPC: Fix integer overflow in decode_rc_list()
Browse files Browse the repository at this point in the history
[ Upstream commit 6dbf1f3 ]

The math in "rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t)" could have an
integer overflow.  Add bounds checking on rc_list->rcl_nrefcalls to fix
that.

Fixes: 4aece6a ("nfs41: cb_sequence xdr implementation")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
Dan Carpenter authored and gregkh committed Oct 17, 2024
1 parent fde7db1 commit dedc14e
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions fs/nfs/callback_xdr.c
Original file line number Diff line number Diff line change
Expand Up @@ -372,6 +372,8 @@ static __be32 decode_rc_list(struct xdr_stream *xdr,

rc_list->rcl_nrefcalls = ntohl(*p++);
if (rc_list->rcl_nrefcalls) {
if (unlikely(rc_list->rcl_nrefcalls > xdr->buf->len))
goto out;
p = xdr_inline_decode(xdr,
rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t));
if (unlikely(p == NULL))
Expand Down

0 comments on commit dedc14e

Please sign in to comment.