Re: Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thursday 23 June 2005 07:48, Florian Weimer wrote:
> This looks suspiciously like CVE-2002-0391.

Thanks, Florian. How about the attached patch?

Cheers,
Andreas.

From: Andreas Gruenbacher <[email protected]>
Subject: Overflow in xdr input validation

The bounds check in xdr_xcode_array2 can overflow. Reported by
Florian Weimer <[email protected]>.

Signed-off-by: Andreas Gruenbacher <[email protected]>

Index: linux-2.6.5/net/sunrpc/xdr.c
===================================================================
--- linux-2.6.5.orig/net/sunrpc/xdr.c
+++ linux-2.6.5/net/sunrpc/xdr.c
@@ -989,8 +989,7 @@ xdr_xcode_array2(struct xdr_buf *buf, un
 			return -EINVAL;
 	} else {
 		if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
-		    (unsigned long) base + 4 + desc->array_len *
-				    desc->elem_size > buf->len)
+		    desc->array_len > (buf->len - base - 4) / desc->elem_size)
 			return -EINVAL;
 	}
 	base += 4;
@@ -1158,8 +1157,8 @@ int
 xdr_encode_array2(struct xdr_buf *buf, unsigned int base,
 		  struct xdr_array2_desc *desc)
 {
-	if ((unsigned long) base + 4 + desc->array_len * desc->elem_size >
-	    buf->head->iov_len + buf->page_len + buf->tail->iov_len)
+	if (buf->head->iov_len + buf->page_len + buf->tail->iov_len -
+	    base < desc->array_len * desc->elem_size + 4)
 		return -EINVAL;
 
 	return xdr_xcode_array2(buf, base, desc, 1);
[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux