From: Andrew Morton <akpm@linux-foundation.org>
To: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org
Cc: bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org,
bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org,
netdev@vger.kernel.org, "J. Bruce Fields" <bfields@fieldses.org>,
Trond Myklebust <trond.myklebust@fys.uio.no>,
Neil Brown <neilb@suse.de>,
linux-nfs@vger.kernel.org
Subject: Re: [Bugme-new] [Bug 14546] New: Off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() of net/sunrpc/addr.c
Date: Tue, 10 Nov 2009 15:29:08 -0800 [thread overview]
Message-ID: <20091110152908.7558a471.akpm@linux-foundation.org> (raw)
In-Reply-To: <bug-14546-10286-V0hAGp6uBxO456/isadD/XN4h3HLQggn@public.gmane.org/>
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
On Thu, 5 Nov 2009 10:31:03 GMT
bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org wrote:
> http://bugzilla.kernel.org/show_bug.cgi?id=14546
>
> Summary: Off-by-two stack buffer overflow in function
> rpc_uaddr2sockaddr() of net/sunrpc/addr.c
> Product: Networking
> Version: 2.5
> Kernel Version: 2.6.32-rc6
> Platform: All
> OS/Version: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Other
> AssignedTo: acme-f8uhVLnGfZaxAyOMLChx1axOck334EZe@public.gmane.org
> ReportedBy: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org
> CC: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org
> Regression: No
>
>
> There is an off-by-two stack buffer overflow in function rpc_uaddr2sockaddr()
> of file net/sunrpc/addr.c in the Linux kernel SUNRPC implementation.
>
> The function rpc_uaddr2sockaddr() that is used to convert a universal address
> to a socket address takes as an argument the size_t variable uaddr_len (the
> length of the universal address string). The stack buffer buf is declared in
> line 315 to be of size RPCBIND_MAXUADDRLEN. If the passed argument uaddr_len is
> equal to RPCBIND_MAXUADDRLEN then the check at line 319 passes and then at
> lines 324 and 325 there are two out-of-bounds assignments:
>
> 319 if (uaddr_len > sizeof(buf))
> 320 return 0;
> ...
> 324 buf[uaddr_len] = '\n';
> 325 buf[uaddr_len + 1] = '\0';
>
> To fix it please see the attached patch.
>
Please don't submit patches via bugzilla.
Please prepare this patch as per Documentation/SubmittingPatches and
email it to all the recipients of this email, thanks.
--- ./net/sunrpc/addr.c.orig 2009-11-05 11:55:45.000000000 +0200
+++ ./net/sunrpc/addr.c 2009-11-05 12:09:34.000000000 +0200
@@ -316,7 +316,7 @@
unsigned long portlo, porthi;
unsigned short port;
- if (uaddr_len > sizeof(buf))
+ if (uaddr_len > sizeof(buf) - 2)
return 0;
memcpy(buf, uaddr, uaddr_len);
WARNING: multiple messages have this Message-ID (diff)
From: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
To: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org
Cc: bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org,
bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
"J. Bruce Fields"
<bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>,
Trond Myklebust
<trond.myklebust-41N18TsMXrtuMpJDpNschA@public.gmane.org>,
Neil Brown <neilb-l3A5Bk7waGM@public.gmane.org>,
linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [Bugme-new] [Bug 14546] New: Off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() of net/sunrpc/addr.c
Date: Tue, 10 Nov 2009 15:29:08 -0800 [thread overview]
Message-ID: <20091110152908.7558a471.akpm@linux-foundation.org> (raw)
In-Reply-To: <bug-14546-10286-V0hAGp6uBxO456/isadD/XN4h3HLQggn@public.gmane.org/>
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
On Thu, 5 Nov 2009 10:31:03 GMT
bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org wrote:
> http://bugzilla.kernel.org/show_bug.cgi?id=14546
>
> Summary: Off-by-two stack buffer overflow in function
> rpc_uaddr2sockaddr() of net/sunrpc/addr.c
> Product: Networking
> Version: 2.5
> Kernel Version: 2.6.32-rc6
> Platform: All
> OS/Version: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Other
> AssignedTo: acme-f8uhVLnGfZaxAyOMLChx1axOck334EZe@public.gmane.org
> ReportedBy: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org
> CC: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org
> Regression: No
>
>
> There is an off-by-two stack buffer overflow in function rpc_uaddr2sockaddr()
> of file net/sunrpc/addr.c in the Linux kernel SUNRPC implementation.
>
> The function rpc_uaddr2sockaddr() that is used to convert a universal address
> to a socket address takes as an argument the size_t variable uaddr_len (the
> length of the universal address string). The stack buffer buf is declared in
> line 315 to be of size RPCBIND_MAXUADDRLEN. If the passed argument uaddr_len is
> equal to RPCBIND_MAXUADDRLEN then the check at line 319 passes and then at
> lines 324 and 325 there are two out-of-bounds assignments:
>
> 319 if (uaddr_len > sizeof(buf))
> 320 return 0;
> ...
> 324 buf[uaddr_len] = '\n';
> 325 buf[uaddr_len + 1] = '\0';
>
> To fix it please see the attached patch.
>
Please don't submit patches via bugzilla.
Please prepare this patch as per Documentation/SubmittingPatches and
email it to all the recipients of this email, thanks.
--- ./net/sunrpc/addr.c.orig 2009-11-05 11:55:45.000000000 +0200
+++ ./net/sunrpc/addr.c 2009-11-05 12:09:34.000000000 +0200
@@ -316,7 +316,7 @@
unsigned long portlo, porthi;
unsigned short port;
- if (uaddr_len > sizeof(buf))
+ if (uaddr_len > sizeof(buf) - 2)
return 0;
memcpy(buf, uaddr, uaddr_len);
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next parent reply other threads:[~2009-11-10 23:29 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-14546-10286@http.bugzilla.kernel.org/>
[not found] ` <bug-14546-10286-V0hAGp6uBxO456/isadD/XN4h3HLQggn@public.gmane.org/>
2009-11-10 23:29 ` Andrew Morton [this message]
2009-11-10 23:29 ` [Bugme-new] [Bug 14546] New: Off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() of net/sunrpc/addr.c Andrew Morton
2009-11-10 23:38 ` Chuck Lever
2009-11-11 7:51 ` Patroklos Argyroudis
2009-11-11 7:51 ` Patroklos Argyroudis
2009-11-11 12:11 ` Fabio Olive Leite
2009-11-11 12:11 ` Fabio Olive Leite
2009-11-11 12:34 ` Fabio Olive Leite
2009-11-11 12:34 ` Fabio Olive Leite
2009-11-11 15:53 ` Chuck Lever
2009-11-11 15:53 ` Chuck Lever
2009-11-12 5:56 ` Neil Brown
2009-11-12 5:56 ` Neil Brown
2009-11-11 11:02 ` [PATCH] sunrpc: off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() Patroklos Argyroudis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091110152908.7558a471.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org \
--cc=bfields@fieldses.org \
--cc=bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org \
--cc=bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
--cc=netdev@vger.kernel.org \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.