[PATCH] sunrpc/cache: fix off-by-one in qword

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] sunrpc/cache: fix off-by-one in qword_get()
@ 2016-02-18 18:55 Stefan Hajnoczi
  2016-02-23 19:41 ` J. Bruce Fields
  0 siblings, 1 reply; 2+ messages in thread
From: Stefan Hajnoczi @ 2016-02-18 18:55 UTC (permalink / raw)
  To: J. Bruce Fields; +Cc: linux-nfs, Stefan Hajnoczi

The qword_get() function NUL-terminates its output buffer.  If the input
string is in hex format \xXXXX... and the same length as the output
buffer, there is an off-by-one:

  int qword_get(char **bpp, char *dest, int bufsize)
  {
      ...
      while (len < bufsize) {
          ...
          *dest++ = (h << 4) | l;
          len++;
      }
      ...
      *dest = '\0';
      return len;
  }

This patch ensures the NUL terminator doesn't fall outside the output
buffer.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 net/sunrpc/cache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 2b32fd6..273bc3a 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -1225,7 +1225,7 @@ int qword_get(char **bpp, char *dest, int bufsize)
 	if (bp[0] == '\\' && bp[1] == 'x') {
 		/* HEX STRING */
 		bp += 2;
-		while (len < bufsize) {
+		while (len < bufsize - 1) {
 			int h, l;
 
 			h = hex_to_bin(bp[0]);
-- 
2.5.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] sunrpc/cache: fix off-by-one in qword_get()
  2016-02-18 18:55 [PATCH] sunrpc/cache: fix off-by-one in qword_get() Stefan Hajnoczi
@ 2016-02-23 19:41 ` J. Bruce Fields
  0 siblings, 0 replies; 2+ messages in thread
From: J. Bruce Fields @ 2016-02-23 19:41 UTC (permalink / raw)
  To: Stefan Hajnoczi; +Cc: J. Bruce Fields, linux-nfs

On Thu, Feb 18, 2016 at 06:55:54PM +0000, Stefan Hajnoczi wrote:
> The qword_get() function NUL-terminates its output buffer.  If the input
> string is in hex format \xXXXX... and the same length as the output
> buffer, there is an off-by-one:

Thanks, I'll pass this along to Linus soon, for 4.5 and stable.

--b.

> 
>   int qword_get(char **bpp, char *dest, int bufsize)
>   {
>       ...
>       while (len < bufsize) {
>           ...
>           *dest++ = (h << 4) | l;
>           len++;
>       }
>       ...
>       *dest = '\0';
>       return len;
>   }
> 
> This patch ensures the NUL terminator doesn't fall outside the output
> buffer.
> 
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
>  net/sunrpc/cache.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
> index 2b32fd6..273bc3a 100644
> --- a/net/sunrpc/cache.c
> +++ b/net/sunrpc/cache.c
> @@ -1225,7 +1225,7 @@ int qword_get(char **bpp, char *dest, int bufsize)
>  	if (bp[0] == '\\' && bp[1] == 'x') {
>  		/* HEX STRING */
>  		bp += 2;
> -		while (len < bufsize) {
> +		while (len < bufsize - 1) {
>  			int h, l;
>  
>  			h = hex_to_bin(bp[0]);
> -- 
> 2.5.0

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-02-23 19:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-18 18:55 [PATCH] sunrpc/cache: fix off-by-one in qword_get() Stefan Hajnoczi
2016-02-23 19:41 ` J. Bruce Fields

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).