Commit ee69675a authored by J. Bruce Fields's avatar J. Bruce Fields Committed by Greg Kroah-Hartman

nfsd: fix buffer overrun decoding NFSv4 acl

commit 91b80969 upstream

The array we kmalloc() here is not large enough.

Thanks to Johann Dahm and David Richter for bug report and testing.
Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
Cc: David Richter <richterd@citi.umich.edu>
Tested-by: default avatarJohann Dahm <jdahm@umich.edu>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 94d5272a
...@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt) ...@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt)
* enough space for either: * enough space for either:
*/ */
alloc = sizeof(struct posix_ace_state_array) alloc = sizeof(struct posix_ace_state_array)
+ cnt*sizeof(struct posix_ace_state); + cnt*sizeof(struct posix_user_ace_state);
state->users = kzalloc(alloc, GFP_KERNEL); state->users = kzalloc(alloc, GFP_KERNEL);
if (!state->users) if (!state->users)
return -ENOMEM; return -ENOMEM;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment