From: Andrew Morton <akpm@linux-foundation.org>
To: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org
Cc: bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org,
bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org,
netdev@vger.kernel.org, "J. Bruce Fields" <bfields@fieldses.org>,
Trond Myklebust <trond.myklebust@fys.uio.no>,
Neil Brown <neilb@suse.de>,
linux-nfs@vger.kernel.org
Subject: Re: [Bugme-new] [Bug 14546] New: Off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() of net/sunrpc/addr.c
Date: Tue, 10 Nov 2009 15:29:08 -0800 [thread overview]
Message-ID: <20091110152908.7558a471.akpm@linux-foundation.org> (raw)
In-Reply-To: <bug-14546-10286-V0hAGp6uBxO456/isadD/XN4h3HLQggn@public.gmane.org/>
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
On Thu, 5 Nov 2009 10:31:03 GMT
bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org wrote:
> http://bugzilla.kernel.org/show_bug.cgi?id=14546
>
> Summary: Off-by-two stack buffer overflow in function
> rpc_uaddr2sockaddr() of net/sunrpc/addr.c
> Product: Networking
> Version: 2.5
> Kernel Version: 2.6.32-rc6
> Platform: All
> OS/Version: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Other
> AssignedTo: acme-f8uhVLnGfZaxAyOMLChx1axOck334EZe@public.gmane.org
> ReportedBy: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org
> CC: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org
> Regression: No
>
>
> There is an off-by-two stack buffer overflow in function rpc_uaddr2sockaddr()
> of file net/sunrpc/addr.c in the Linux kernel SUNRPC implementation.
>
> The function rpc_uaddr2sockaddr() that is used to convert a universal address
> to a socket address takes as an argument the size_t variable uaddr_len (the
> length of the universal address string). The stack buffer buf is declared in
> line 315 to be of size RPCBIND_MAXUADDRLEN. If the passed argument uaddr_len is
> equal to RPCBIND_MAXUADDRLEN then the check at line 319 passes and then at
> lines 324 and 325 there are two out-of-bounds assignments:
>
> 319 if (uaddr_len > sizeof(buf))
> 320 return 0;
> ...
> 324 buf[uaddr_len] = '\n';
> 325 buf[uaddr_len + 1] = '\0';
>
> To fix it please see the attached patch.
>
Please don't submit patches via bugzilla.
Please prepare this patch as per Documentation/SubmittingPatches and
email it to all the recipients of this email, thanks.
--- ./net/sunrpc/addr.c.orig 2009-11-05 11:55:45.000000000 +0200
+++ ./net/sunrpc/addr.c 2009-11-05 12:09:34.000000000 +0200
@@ -316,7 +316,7 @@
unsigned long portlo, porthi;
unsigned short port;
- if (uaddr_len > sizeof(buf))
+ if (uaddr_len > sizeof(buf) - 2)
return 0;
memcpy(buf, uaddr, uaddr_len);
next parent reply other threads:[~2009-11-10 23:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-14546-10286@http.bugzilla.kernel.org/>
[not found] ` <bug-14546-10286-V0hAGp6uBxO456/isadD/XN4h3HLQggn@public.gmane.org/>
2009-11-10 23:29 ` Andrew Morton [this message]
2009-11-10 23:38 ` [Bugme-new] [Bug 14546] New: Off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() of net/sunrpc/addr.c Chuck Lever
2009-11-11 7:51 ` Patroklos Argyroudis
2009-11-11 12:11 ` Fabio Olive Leite
2009-11-11 12:34 ` Fabio Olive Leite
2009-11-11 15:53 ` Chuck Lever
2009-11-12 5:56 ` Neil Brown
2009-11-11 11:02 ` [PATCH] sunrpc: off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() Patroklos Argyroudis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091110152908.7558a471.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org \
--cc=bfields@fieldses.org \
--cc=bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org \
--cc=bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
--cc=netdev@vger.kernel.org \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox