From: Patroklos Argyroudis <argp@census-labs.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: netdev@vger.kernel.org, "J. Bruce Fields" <bfields@fieldses.org>,
Trond Myklebust <trond.myklebust@fys.uio.no>,
Neil Brown <neilb@suse.de>,
linux-nfs@vger.kernel.org
Subject: [PATCH] sunrpc: off-by-two stack buffer overflow in function rpc_uaddr2sockaddr()
Date: Wed, 11 Nov 2009 13:02:29 +0200 [thread overview]
Message-ID: <20091111110229.GA12676@evola> (raw)
In-Reply-To: <20091110152908.7558a471.akpm@linux-foundation.org>
There is an off-by-two stack buffer overflow in function rpc_uaddr2sockaddr()
of file net/sunrpc/addr.c in the Linux kernel SUNRPC implementation.
The function rpc_uaddr2sockaddr() that is used to convert a universal address
to a socket address takes as an argument the size_t variable uaddr_len (the
length of the universal address string). The stack buffer buf is declared in
line 315 to be of size RPCBIND_MAXUADDRLEN. If the passed argument uaddr_len is
equal to RPCBIND_MAXUADDRLEN then the check at line 319 passes and then at
lines 324 and 325 there are two out-of-bounds assignments:
319 if (uaddr_len > sizeof(buf))
320 return 0;
...
324 buf[uaddr_len] = '\n';
325 buf[uaddr_len + 1] = '\0';
Signed-off-by: Patroklos Argyroudis <argp@census-labs.com>
---
--- linux-2.6/net/sunrpc/addr.c.orig 2009-11-11 12:33:04.000000000 +0200
+++ linux-2.6/net/sunrpc/addr.c 2009-11-11 12:33:32.000000000 +0200
@@ -316,7 +316,7 @@ size_t rpc_uaddr2sockaddr(const char *ua
unsigned long portlo, porthi;
unsigned short port;
- if (uaddr_len > sizeof(buf))
+ if (uaddr_len > sizeof(buf) - 2)
return 0;
memcpy(buf, uaddr, uaddr_len);
prev parent reply other threads:[~2009-11-11 11:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-14546-10286@http.bugzilla.kernel.org/>
[not found] ` <bug-14546-10286-V0hAGp6uBxO456/isadD/XN4h3HLQggn@public.gmane.org/>
2009-11-10 23:29 ` [Bugme-new] [Bug 14546] New: Off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() of net/sunrpc/addr.c Andrew Morton
2009-11-10 23:38 ` Chuck Lever
[not found] ` <967DC2CE-588D-4207-BF2D-59727454DC2E-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2009-11-11 7:51 ` Patroklos Argyroudis
2009-11-11 12:11 ` Fabio Olive Leite
2009-11-11 12:34 ` Fabio Olive Leite
2009-11-11 15:53 ` Chuck Lever
2009-11-12 5:56 ` Neil Brown
2009-11-11 11:02 ` Patroklos Argyroudis [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091111110229.GA12676@evola \
--to=argp@census-labs.com \
--cc=akpm@linux-foundation.org \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
--cc=netdev@vger.kernel.org \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).