On Thursday 23 June 2005 07:48, Florian Weimer wrote:
> This looks suspiciously like CVE-2002-0391.
Thanks, Florian. How about the attached patch?
Cheers,
Andreas.
From: Andreas Gruenbacher <[email protected]>
Subject: Overflow in xdr input validation
The bounds check in xdr_xcode_array2 can overflow. Reported by
Florian Weimer <[email protected]>.
Signed-off-by: Andreas Gruenbacher <[email protected]>
Index: linux-2.6.5/net/sunrpc/xdr.c
===================================================================
--- linux-2.6.5.orig/net/sunrpc/xdr.c
+++ linux-2.6.5/net/sunrpc/xdr.c
@@ -989,8 +989,7 @@ xdr_xcode_array2(struct xdr_buf *buf, un
return -EINVAL;
} else {
if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
- (unsigned long) base + 4 + desc->array_len *
- desc->elem_size > buf->len)
+ desc->array_len > (buf->len - base - 4) / desc->elem_size)
return -EINVAL;
}
base += 4;
@@ -1158,8 +1157,8 @@ int
xdr_encode_array2(struct xdr_buf *buf, unsigned int base,
struct xdr_array2_desc *desc)
{
- if ((unsigned long) base + 4 + desc->array_len * desc->elem_size >
- buf->head->iov_len + buf->page_len + buf->tail->iov_len)
+ if (buf->head->iov_len + buf->page_len + buf->tail->iov_len -
+ base < desc->array_len * desc->elem_size + 4)
return -EINVAL;
return xdr_xcode_array2(buf, base, desc, 1);
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]