diff options
author | J. Bruce Fields <bfields@citi.umich.edu> | 2008-08-30 01:18:45 +0200 |
---|---|---|
committer | J. Bruce Fields <bfields@citi.umich.edu> | 2008-09-01 20:24:24 +0200 |
commit | 91b80969ba466ba4b915a4a1d03add8c297add3f (patch) | |
tree | 2e35e071d4faa5a57ab6ed4d74cd3ef686e1ba91 /fs | |
parent | sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports (diff) | |
download | linux-91b80969ba466ba4b915a4a1d03add8c297add3f.tar.xz linux-91b80969ba466ba4b915a4a1d03add8c297add3f.zip |
nfsd: fix buffer overrun decoding NFSv4 acl
The array we kmalloc() here is not large enough.
Thanks to Johann Dahm and David Richter for bug report and testing.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Cc: David Richter <richterd@citi.umich.edu>
Tested-by: Johann Dahm <jdahm@umich.edu>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/nfsd/nfs4acl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c index b6ed38380ab8..54b8b4140c8f 100644 --- a/fs/nfsd/nfs4acl.c +++ b/fs/nfsd/nfs4acl.c @@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt) * enough space for either: */ alloc = sizeof(struct posix_ace_state_array) - + cnt*sizeof(struct posix_ace_state); + + cnt*sizeof(struct posix_user_ace_state); state->users = kzalloc(alloc, GFP_KERNEL); if (!state->users) return -ENOMEM; |