Skip to content

Commit

Permalink
nfs: check for integer overflow in decode_devicenotify_args()
Browse files Browse the repository at this point in the history 
On 32 bit, if n is too large then "n * sizeof(*args->devs)" could
overflow and args->devs would be smaller than expected.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
  • Loading branch information
Dan Carpenter authored and Trond Myklebust committed Jan 12, 2012
1 parent 13fff2f commit 363e0df
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions fs/nfs/callback_xdr.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,10 @@ __be32 decode_devicenotify_args(struct svc_rqst *rqstp,
n = ntohl(*p++);
if (n <= 0)
goto out;
if (n > ULONG_MAX / sizeof(*args->devs)) {
status = htonl(NFS4ERR_BADXDR);
goto out;
}

args->devs = kmalloc(n * sizeof(*args->devs), GFP_KERNEL);
if (!args->devs) {
Expand Down

0 comments on commit 363e0df

Please sign in to comment.