From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Morton Subject: Re: [Bugme-new] [Bug 14546] New: Off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() of net/sunrpc/addr.c Date: Tue, 10 Nov 2009 15:29:08 -0800 Message-ID: <20091110152908.7558a471.akpm@linux-foundation.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org, bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, "J. Bruce Fields" , Trond Myklebust , Neil Brown , linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org Return-path: In-Reply-To: Sender: linux-nfs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: netdev.vger.kernel.org (switched to email. Please respond via emailed reply-to-all, not via the bugzilla web interface). On Thu, 5 Nov 2009 10:31:03 GMT bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org wrote: > http://bugzilla.kernel.org/show_bug.cgi?id=14546 > > Summary: Off-by-two stack buffer overflow in function > rpc_uaddr2sockaddr() of net/sunrpc/addr.c > Product: Networking > Version: 2.5 > Kernel Version: 2.6.32-rc6 > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: Other > AssignedTo: acme-f8uhVLnGfZaxAyOMLChx1axOck334EZe@public.gmane.org > ReportedBy: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org > CC: argp-YZAGAMbGdGKGw+nKnLezzg@public.gmane.org > Regression: No > > > There is an off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() > of file net/sunrpc/addr.c in the Linux kernel SUNRPC implementation. > > The function rpc_uaddr2sockaddr() that is used to convert a universal address > to a socket address takes as an argument the size_t variable uaddr_len (the > length of the universal address string). The stack buffer buf is declared in > line 315 to be of size RPCBIND_MAXUADDRLEN. If the passed argument uaddr_len is > equal to RPCBIND_MAXUADDRLEN then the check at line 319 passes and then at > lines 324 and 325 there are two out-of-bounds assignments: > > 319 if (uaddr_len > sizeof(buf)) > 320 return 0; > ... > 324 buf[uaddr_len] = '\n'; > 325 buf[uaddr_len + 1] = '\0'; > > To fix it please see the attached patch. > Please don't submit patches via bugzilla. Please prepare this patch as per Documentation/SubmittingPatches and email it to all the recipients of this email, thanks. --- ./net/sunrpc/addr.c.orig 2009-11-05 11:55:45.000000000 +0200 +++ ./net/sunrpc/addr.c 2009-11-05 12:09:34.000000000 +0200 @@ -316,7 +316,7 @@ unsigned long portlo, porthi; unsigned short port; - if (uaddr_len > sizeof(buf)) + if (uaddr_len > sizeof(buf) - 2) return 0; memcpy(buf, uaddr, uaddr_len); -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html