From: Andreas Gruenbacher <agruen@suse.de>
To: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Florian Weimer <fw@deneb.enyo.de>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Olaf Kirch <okir@suse.de>
Subject: Re: Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays)
Date: Thu, 23 Jun 2005 11:53:41 +0200 [thread overview]
Message-ID: <200506231153.41318.agruen@suse.de> (raw)
In-Reply-To: <87y8911v46.fsf@deneb.enyo.de>
[-- Attachment #1: Type: text/plain, Size: 166 bytes --]
On Thursday 23 June 2005 07:48, Florian Weimer wrote:
> This looks suspiciously like CVE-2002-0391.
Thanks, Florian. How about the attached patch?
Cheers,
Andreas.
[-- Attachment #2: xdr-input-validation.diff --]
[-- Type: text/x-diff, Size: 1196 bytes --]
From: Andreas Gruenbacher <agruen@suse.de>
Subject: Overflow in xdr input validation
The bounds check in xdr_xcode_array2 can overflow. Reported by
Florian Weimer <fw@deneb.enyo.de>.
Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
Index: linux-2.6.5/net/sunrpc/xdr.c
===================================================================
--- linux-2.6.5.orig/net/sunrpc/xdr.c
+++ linux-2.6.5/net/sunrpc/xdr.c
@@ -989,8 +989,7 @@ xdr_xcode_array2(struct xdr_buf *buf, un
return -EINVAL;
} else {
if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
- (unsigned long) base + 4 + desc->array_len *
- desc->elem_size > buf->len)
+ desc->array_len > (buf->len - base - 4) / desc->elem_size)
return -EINVAL;
}
base += 4;
@@ -1158,8 +1157,8 @@ int
xdr_encode_array2(struct xdr_buf *buf, unsigned int base,
struct xdr_array2_desc *desc)
{
- if ((unsigned long) base + 4 + desc->array_len * desc->elem_size >
- buf->head->iov_len + buf->page_len + buf->tail->iov_len)
+ if (buf->head->iov_len + buf->page_len + buf->tail->iov_len -
+ base < desc->array_len * desc->elem_size + 4)
return -EINVAL;
return xdr_xcode_array2(buf, base, desc, 1);
next prev parent reply other threads:[~2005-06-23 10:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200506230502.j5N52PWP007955@hera.kernel.org>
2005-06-23 5:48 ` Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays) Florian Weimer
2005-06-23 9:53 ` Andreas Gruenbacher [this message]
2005-06-23 10:45 ` Potential xdr_xcode_array2 security issue Florian Weimer
2005-06-23 11:00 ` Andreas Gruenbacher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200506231153.41318.agruen@suse.de \
--to=agruen@suse.de \
--cc=Trond.Myklebust@netapp.com \
--cc=fw@deneb.enyo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=okir@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox