From: Tim Gardner <tim.gardner@canonical.com>
To: "J. Bruce Fields" <bfields@redhat.com>
Cc: Greg KH <gregkh@suse.de>,
alan@lxorguk.ukuu.org.uk, Roel Kluin <roel.kluin@gmail.com>,
linux-kernel@vger.kernel.org, stable@kernel.org,
stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org
Subject: Re: [14/17] nfsd: wrong index used in inner loop
Date: Thu, 17 Mar 2011 18:55:29 -0600 [thread overview]
Message-ID: <4D82AD81.7030107@canonical.com> (raw)
In-Reply-To: <20110317230012.GA4072@pad.home.fieldses.org>
On 03/17/2011 05:00 PM, J. Bruce Fields wrote:
> On Fri, Mar 11, 2011 at 10:21:58PM +0000, Tim Gardner wrote:
>> On 03/11/2011 08:40 PM, Greg KH wrote:
>>> 2.6.32-longterm review patch. If anyone has any objections, please let us know.
>>>
>>> ------------------
>>>
>>> From: roel<roel.kluin@gmail.com>
>>>
>>> commit 3ec07aa9522e3d5e9d5ede7bef946756e623a0a0 upstream.
>>>
>>> Index i was already used in the outer loop
>>>
>>> Signed-off-by: Roel Kluin<roel.kluin@gmail.com>
>>> Signed-off-by: J. Bruce Fields<bfields@redhat.com>
>>> Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de>
>>>
>>> ---
>>> fs/nfsd/nfs4xdr.c | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> --- a/fs/nfsd/nfs4xdr.c
>>> +++ b/fs/nfsd/nfs4xdr.c
>>> @@ -1114,7 +1114,7 @@ nfsd4_decode_create_session(struct nfsd4
>>>
>>> u32 dummy;
>>> char *machine_name;
>>> - int i;
>>> + int i, j;
>>> int nr_secflavs;
>>>
>>> READ_BUF(16);
>>> @@ -1187,7 +1187,7 @@ nfsd4_decode_create_session(struct nfsd4
>>> READ_BUF(4);
>>> READ32(dummy);
>>> READ_BUF(dummy * 4);
>>> - for (i = 0; i< dummy; ++i)
>>> + for (j = 0; j< dummy; ++j)
>>> READ32(dummy);
>>> break;
>>> case RPC_AUTH_GSS:
>>>
>>>
>>> --
>>
>> I agree that fixing the index in this loop is a good thing, but its
>> caused me to look at the result:
>>
>> for (j = 0; j< dummy; ++j)
>> READ32(dummy);
>>
>> It seems to me that this loop might never terminate if the original
>> buffer is maliciously constructed, e.g., 0, 1, 2, 3, ... Is the data
>> in this buffer really that well vetted?
>
> Agreed, the code's still clearly bogus. In fact, we can just delete
> that loop entirely; I have a patch queued up to send to Linus soon.
>
> (But go ahead and apply this anyway, and then you'll get the followup
> patch when it lands.)
>
> --b.
>
Will do. Thanks for the update.
rtg
--
Tim Gardner tim.gardner@canonical.com
next prev parent reply other threads:[~2011-03-18 0:55 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-11 20:41 [00/17] 2.6.32.33-longterm review Greg KH
2011-03-11 20:40 ` [01/17] cpuset: add a missing unlock in cpuset_write_resmask() Greg KH
2011-03-11 20:40 ` [02/17] [S390] keyboard: integer underflow bug Greg KH
2011-03-11 20:40 ` [03/17] RxRPC: Fix v1 keys Greg KH
2011-03-11 20:40 ` [04/17] ixgbe: fix for 82599 erratum on Header Splitting Greg KH
2011-03-11 20:40 ` [05/17] mm: fix possible cause of a page_mapped BUG Greg KH
2011-03-11 20:40 ` [06/17] powerpc/kdump: CPUs assume the context of the oopsing CPU Greg KH
2011-03-11 20:40 ` [07/17] powerpc/kdump: Use chip->shutdown to disable IRQs Greg KH
2011-03-11 20:40 ` [08/17] powerpc: Use more accurate limit for first segment memory allocations Greg KH
2011-03-11 20:40 ` [09/17] powerpc/pseries: Add hcall to read 4 ptes at a time in real mode Greg KH
2011-03-11 20:40 ` [10/17] powerpc/kexec: Speedup kexec hash PTE tear down Greg KH
2011-03-11 20:40 ` [11/17] powerpc/crashdump: Do not fail on NULL pointer dereferencing Greg KH
2011-03-11 20:40 ` [12/17] powerpc/kexec: Fix orphaned offline CPUs across kexec Greg KH
2011-03-11 20:40 ` [13/17] netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values Greg KH
2011-03-11 20:40 ` [14/17] nfsd: wrong index used in inner loop Greg KH
2011-03-11 22:21 ` Tim Gardner
2011-03-17 23:00 ` J. Bruce Fields
2011-03-18 0:55 ` Tim Gardner [this message]
2011-03-11 20:40 ` [15/17] r8169: use RxFIFO overflow workaround for 8168c chipset Greg KH
2011-03-11 20:40 ` [16/17] Staging: comedi: jr3_pci: Dont ioremap too much space. Check result Greg KH
2011-03-11 20:40 ` [17/17] net: dont allow CAP_NET_ADMIN to load non-netdev kernel modules Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D82AD81.7030107@canonical.com \
--to=tim.gardner@canonical.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bfields@redhat.com \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=roel.kluin@gmail.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.