From: Tim Gardner <tim.gardner@canonical.com>
To: "J. Bruce Fields" <bfields@redhat.com>
Cc: Greg KH <gregkh@suse.de>,
alan@lxorguk.ukuu.org.uk, Roel Kluin <roel.kluin@gmail.com>,
linux-kernel@vger.kernel.org, stable@kernel.org,
stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org
Subject: Re: [14/17] nfsd: wrong index used in inner loop
Date: Thu, 17 Mar 2011 18:55:29 -0600 [thread overview]
Message-ID: <4D82AD81.7030107@canonical.com> (raw)
In-Reply-To: <20110317230012.GA4072@pad.home.fieldses.org>
On 03/17/2011 05:00 PM, J. Bruce Fields wrote:
> On Fri, Mar 11, 2011 at 10:21:58PM +0000, Tim Gardner wrote:
>> On 03/11/2011 08:40 PM, Greg KH wrote:
>>> 2.6.32-longterm review patch. If anyone has any objections, please let us know.
>>>
>>> ------------------
>>>
>>> From: roel<roel.kluin@gmail.com>
>>>
>>> commit 3ec07aa9522e3d5e9d5ede7bef946756e623a0a0 upstream.
>>>
>>> Index i was already used in the outer loop
>>>
>>> Signed-off-by: Roel Kluin<roel.kluin@gmail.com>
>>> Signed-off-by: J. Bruce Fields<bfields@redhat.com>
>>> Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de>
>>>
>>> ---
>>> fs/nfsd/nfs4xdr.c | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> --- a/fs/nfsd/nfs4xdr.c
>>> +++ b/fs/nfsd/nfs4xdr.c
>>> @@ -1114,7 +1114,7 @@ nfsd4_decode_create_session(struct nfsd4
>>>
>>> u32 dummy;
>>> char *machine_name;
>>> - int i;
>>> + int i, j;
>>> int nr_secflavs;
>>>
>>> READ_BUF(16);
>>> @@ -1187,7 +1187,7 @@ nfsd4_decode_create_session(struct nfsd4
>>> READ_BUF(4);
>>> READ32(dummy);
>>> READ_BUF(dummy * 4);
>>> - for (i = 0; i< dummy; ++i)
>>> + for (j = 0; j< dummy; ++j)
>>> READ32(dummy);
>>> break;
>>> case RPC_AUTH_GSS:
>>>
>>>
>>> --
>>
>> I agree that fixing the index in this loop is a good thing, but its
>> caused me to look at the result:
>>
>> for (j = 0; j< dummy; ++j)
>> READ32(dummy);
>>
>> It seems to me that this loop might never terminate if the original
>> buffer is maliciously constructed, e.g., 0, 1, 2, 3, ... Is the data
>> in this buffer really that well vetted?
>
> Agreed, the code's still clearly bogus. In fact, we can just delete
> that loop entirely; I have a patch queued up to send to Linus soon.
>
> (But go ahead and apply this anyway, and then you'll get the followup
> patch when it lands.)
>
> --b.
>
Will do. Thanks for the update.
rtg
--
Tim Gardner tim.gardner@canonical.com
next prev parent reply other threads:[~2011-03-18 0:55 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-11 20:41 [00/17] 2.6.32.33-longterm review Greg KH
2011-03-11 20:40 ` [01/17] cpuset: add a missing unlock in cpuset_write_resmask() Greg KH
2011-03-11 20:40 ` [02/17] [S390] keyboard: integer underflow bug Greg KH
2011-03-11 20:40 ` [03/17] RxRPC: Fix v1 keys Greg KH
2011-03-11 20:40 ` [04/17] ixgbe: fix for 82599 erratum on Header Splitting Greg KH
2011-03-11 20:40 ` [05/17] mm: fix possible cause of a page_mapped BUG Greg KH
2011-03-11 20:40 ` [06/17] powerpc/kdump: CPUs assume the context of the oopsing CPU Greg KH
2011-03-11 20:40 ` [07/17] powerpc/kdump: Use chip->shutdown to disable IRQs Greg KH
2011-03-11 20:40 ` [08/17] powerpc: Use more accurate limit for first segment memory allocations Greg KH
2011-03-11 20:40 ` [09/17] powerpc/pseries: Add hcall to read 4 ptes at a time in real mode Greg KH
2011-03-11 20:40 ` [10/17] powerpc/kexec: Speedup kexec hash PTE tear down Greg KH
2011-03-11 20:40 ` [11/17] powerpc/crashdump: Do not fail on NULL pointer dereferencing Greg KH
2011-03-11 20:40 ` [12/17] powerpc/kexec: Fix orphaned offline CPUs across kexec Greg KH
2011-03-11 20:40 ` [13/17] netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values Greg KH
2011-03-11 20:40 ` [14/17] nfsd: wrong index used in inner loop Greg KH
2011-03-11 22:21 ` Tim Gardner
2011-03-17 23:00 ` J. Bruce Fields
2011-03-18 0:55 ` Tim Gardner [this message]
2011-03-11 20:40 ` [15/17] r8169: use RxFIFO overflow workaround for 8168c chipset Greg KH
2011-03-11 20:40 ` [16/17] Staging: comedi: jr3_pci: Dont ioremap too much space. Check result Greg KH
2011-03-11 20:40 ` [17/17] net: dont allow CAP_NET_ADMIN to load non-netdev kernel modules Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D82AD81.7030107@canonical.com \
--to=tim.gardner@canonical.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bfields@redhat.com \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=roel.kluin@gmail.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox