Patch "sunrpc/cache: fix off-by-one in qword_get()" has been added to the 3.14-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Patch "sunrpc/cache: fix off-by-one in qword_get()" has been added to the 3.14-stable tree
@ 2016-03-01 22:23 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-03-01 22:23 UTC (permalink / raw)
  To: stefanha, bfields, gregkh; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    sunrpc/cache: fix off-by-one in qword_get()

to the 3.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     sunrpc-cache-fix-off-by-one-in-qword_get.patch
and it can be found in the queue-3.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From b7052cd7bcf3c1478796e93e3dff2b44c9e82943 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Thu, 18 Feb 2016 18:55:54 +0000
Subject: sunrpc/cache: fix off-by-one in qword_get()

From: Stefan Hajnoczi <stefanha@redhat.com>

commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 upstream.

The qword_get() function NUL-terminates its output buffer.  If the input
string is in hex format \xXXXX... and the same length as the output
buffer, there is an off-by-one:

  int qword_get(char **bpp, char *dest, int bufsize)
  {
      ...
      while (len < bufsize) {
          ...
          *dest++ = (h << 4) | l;
          len++;
      }
      ...
      *dest = '\0';
      return len;
  }

This patch ensures the NUL terminator doesn't fall outside the output
buffer.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/cache.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -1230,7 +1230,7 @@ int qword_get(char **bpp, char *dest, in
 	if (bp[0] == '\\' && bp[1] == 'x') {
 		/* HEX STRING */
 		bp += 2;
-		while (len < bufsize) {
+		while (len < bufsize - 1) {
 			int h, l;
 
 			h = hex_to_bin(bp[0]);


Patches currently in stable-queue which might be from stefanha@redhat.com are

queue-3.14/sunrpc-cache-fix-off-by-one-in-qword_get.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2016-03-01 22:23 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-01 22:23 Patch "sunrpc/cache: fix off-by-one in qword_get()" has been added to the 3.14-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).