Re: [14/17] nfsd: wrong index used in inner loop

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Tim Gardner <tim.gardner@canonical.com>
To: Greg KH <gregkh@suse.de>,
	alan@lxorguk.ukuu.org.uk, Roel Kluin <roel.kluin@gmail.com>,
	"J. Bruce Fields" <bfields@redhat.com>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org,
	stable-review@kernel.org, torvalds@linux-foundation.org,
	akpm@linux-foundation.org
Subject: Re: [14/17] nfsd: wrong index used in inner loop
Date: Fri, 11 Mar 2011 22:21:58 +0000	[thread overview]
Message-ID: <4D7AA086.3030500@canonical.com> (raw)
In-Reply-To: <20110311204110.753145113@clark.kroah.org>

On 03/11/2011 08:40 PM, Greg KH wrote:
> 2.6.32-longterm review patch.  If anyone has any objections, please let us know.
>
> ------------------
>
> From: roel<roel.kluin@gmail.com>
>
> commit 3ec07aa9522e3d5e9d5ede7bef946756e623a0a0 upstream.
>
> Index i was already used in the outer loop
>
> Signed-off-by: Roel Kluin<roel.kluin@gmail.com>
> Signed-off-by: J. Bruce Fields<bfields@redhat.com>
> Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de>
>
> ---
>   fs/nfsd/nfs4xdr.c |    4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> --- a/fs/nfsd/nfs4xdr.c
> +++ b/fs/nfsd/nfs4xdr.c
> @@ -1114,7 +1114,7 @@ nfsd4_decode_create_session(struct nfsd4
>
>   	u32 dummy;
>   	char *machine_name;
> -	int i;
> +	int i, j;
>   	int nr_secflavs;
>
>   	READ_BUF(16);
> @@ -1187,7 +1187,7 @@ nfsd4_decode_create_session(struct nfsd4
>   			READ_BUF(4);
>   			READ32(dummy);
>   			READ_BUF(dummy * 4);
> -			for (i = 0; i<  dummy; ++i)
> +			for (j = 0; j<  dummy; ++j)
>   				READ32(dummy);
>   			break;
>   		case RPC_AUTH_GSS:
>
>
> --

I agree that fixing the index in this loop is a good thing, but its 
caused me to look at the result:

for (j = 0; j<  dummy; ++j)
	READ32(dummy);

It seems to me that this loop might never terminate if the original 
buffer is maliciously constructed, e.g., 0, 1, 2, 3, ... Is the data in 
this buffer really that well vetted?

rtg
-- 
Tim Gardner tim.gardner@canonical.com

next prev parent reply	other threads:[~2011-03-11 22:22 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-11 20:41 [00/17] 2.6.32.33-longterm review Greg KH
2011-03-11 20:40 ` [01/17] cpuset: add a missing unlock in cpuset_write_resmask() Greg KH
2011-03-11 20:40 ` [02/17] [S390] keyboard: integer underflow bug Greg KH
2011-03-11 20:40 ` [03/17] RxRPC: Fix v1 keys Greg KH
2011-03-11 20:40 ` [04/17] ixgbe: fix for 82599 erratum on Header Splitting Greg KH
2011-03-11 20:40 ` [05/17] mm: fix possible cause of a page_mapped BUG Greg KH
2011-03-11 20:40 ` [06/17] powerpc/kdump: CPUs assume the context of the oopsing CPU Greg KH
2011-03-11 20:40 ` [07/17] powerpc/kdump: Use chip->shutdown to disable IRQs Greg KH
2011-03-11 20:40 ` [08/17] powerpc: Use more accurate limit for first segment memory allocations Greg KH
2011-03-11 20:40 ` [09/17] powerpc/pseries: Add hcall to read 4 ptes at a time in real mode Greg KH
2011-03-11 20:40 ` [10/17] powerpc/kexec: Speedup kexec hash PTE tear down Greg KH
2011-03-11 20:40 ` [11/17] powerpc/crashdump: Do not fail on NULL pointer dereferencing Greg KH
2011-03-11 20:40 ` [12/17] powerpc/kexec: Fix orphaned offline CPUs across kexec Greg KH
2011-03-11 20:40 ` [13/17] netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values Greg KH
2011-03-11 20:40 ` [14/17] nfsd: wrong index used in inner loop Greg KH
2011-03-11 22:21   ` Tim Gardner [this message]
2011-03-17 23:00     ` J. Bruce Fields
2011-03-18  0:55       ` Tim Gardner
2011-03-11 20:40 ` [15/17] r8169: use RxFIFO overflow workaround for 8168c chipset Greg KH
2011-03-11 20:40 ` [16/17] Staging: comedi: jr3_pci: Dont ioremap too much space. Check result Greg KH
2011-03-11 20:40 ` [17/17] net: dont allow CAP_NET_ADMIN to load non-netdev kernel modules Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D7AA086.3030500@canonical.com \
    --to=tim.gardner@canonical.com \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=bfields@redhat.com \
    --cc=gregkh@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=roel.kluin@gmail.com \
    --cc=stable-review@kernel.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox