Commit 7d3e91a8 authored by Sven Wegener's avatar Sven Wegener Committed by Trond Myklebust

NFSv4: Check for buffer length in __nfs4_get_acl_uncached

Commit 1f1ea6c2 "NFSv4: Fix buffer overflow checking in
__nfs4_get_acl_uncached" accidently dropped the checking for too small
result buffer length.

If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount
supporting ACLs, the ACL has not been cached and the buffer suplied is
too short, we still copy the complete ACL, resulting in kernel and user
space memory corruption.
Signed-off-by: default avatarSven Wegener <sven.wegener@stealer.net>
Cc: stable@kernel.org
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent 4c100210
...@@ -3937,8 +3937,13 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu ...@@ -3937,8 +3937,13 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
goto out_free; goto out_free;
} }
nfs4_write_cached_acl(inode, pages, res.acl_data_offset, res.acl_len); nfs4_write_cached_acl(inode, pages, res.acl_data_offset, res.acl_len);
if (buf) if (buf) {
if (res.acl_len > buflen) {
ret = -ERANGE;
goto out_free;
}
_copy_from_pages(buf, pages, res.acl_data_offset, res.acl_len); _copy_from_pages(buf, pages, res.acl_data_offset, res.acl_len);
}
out_ok: out_ok:
ret = res.acl_len; ret = res.acl_len;
out_free: out_free:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment