summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2015-02-24 16:34:01 +0100
committerJ. Bruce Fields <bfields@redhat.com>2015-02-26 21:40:16 +0100
commit76cb4be993c03bf9ec65a58b13f12c679bb041e4 (patch)
tree03b3d028748f40de41ec8a71a83524e77f758a9d
parentnfsd: fix clp->cl_revoked list deletion causing softlock in nfsd (diff)
downloadlinux-76cb4be993c03bf9ec65a58b13f12c679bb041e4.tar.xz
linux-76cb4be993c03bf9ec65a58b13f12c679bb041e4.zip
sunrpc: integer underflow in rsc_parse()
If we call groups_alloc() with invalid values then it's might lead to memory corruption. For example, with a negative value then we might not allocate enough for sizeof(struct group_info). (We're doing this in the caller for consistency with other callers of groups_alloc(). The other alternative might be to move the check out of all the callers into groups_alloc().) Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Simo Sorce <simo@redhat.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
-rw-r--r--net/sunrpc/auth_gss/svcauth_gss.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 224a82f24d3c..1095be9c80ab 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -463,6 +463,8 @@ static int rsc_parse(struct cache_detail *cd,
/* number of additional gid's */
if (get_int(&mesg, &N))
goto out;
+ if (N < 0 || N > NGROUPS_MAX)
+ goto out;
status = -ENOMEM;
rsci.cred.cr_group_info = groups_alloc(N);
if (rsci.cred.cr_group_info == NULL)