Skip to content

Commit

Permalink
sunrpc: integer underflow in rsc_parse()
Browse files Browse the repository at this point in the history 
If we call groups_alloc() with invalid values then it's might lead to
memory corruption.  For example, with a negative value then we might not
allocate enough for sizeof(struct group_info).

(We're doing this in the caller for consistency with other callers of
groups_alloc().  The other alternative might be to move the check out of
all the callers into groups_alloc().)

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
  • Loading branch information
Dan Carpenter authored and J. Bruce Fields committed Feb 26, 2015
1 parent c876486 commit 76cb4be
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/sunrpc/auth_gss/svcauth_gss.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,8 @@ static int rsc_parse(struct cache_detail *cd,
/* number of additional gid's */
if (get_int(&mesg, &N))
goto out;
if (N < 0 || N > NGROUPS_MAX)
goto out;
status = -ENOMEM;
rsci.cred.cr_group_info = groups_alloc(N);
if (rsci.cred.cr_group_info == NULL)
Expand Down

0 comments on commit 76cb4be

Please sign in to comment.