SUNRPC: Fix integer overflow in decode_rc_list()
The math in "rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t)" could have an
integer overflow. Add bounds checking on rc_list->rcl_nrefcalls to fix
that.
Fixes: 4aece6a19c
("nfs41: cb_sequence xdr implementation")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
This commit is contained in:
parent
1d498df44e
commit
6dbf1f341b
@ -375,6 +375,8 @@ static __be32 decode_rc_list(struct xdr_stream *xdr,
|
|||||||
|
|
||||||
rc_list->rcl_nrefcalls = ntohl(*p++);
|
rc_list->rcl_nrefcalls = ntohl(*p++);
|
||||||
if (rc_list->rcl_nrefcalls) {
|
if (rc_list->rcl_nrefcalls) {
|
||||||
|
if (unlikely(rc_list->rcl_nrefcalls > xdr->buf->len))
|
||||||
|
goto out;
|
||||||
p = xdr_inline_decode(xdr,
|
p = xdr_inline_decode(xdr,
|
||||||
rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t));
|
rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t));
|
||||||
if (unlikely(p == NULL))
|
if (unlikely(p == NULL))
|
||||||
|
Loading…
Reference in New Issue
Block a user