diff options
-rw-r--r-- | fs/nfs_common/nfsacl.c | 1 | ||||
-rw-r--r-- | include/linux/sunrpc/xdr.h | 1 | ||||
-rw-r--r-- | net/sunrpc/xdr.c | 1 |
3 files changed, 3 insertions, 0 deletions
diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c index 18c58c3..251e5a1 100644 --- a/fs/nfs_common/nfsacl.c +++ b/fs/nfs_common/nfsacl.c @@ -239,6 +239,7 @@ nfsacl_decode(struct xdr_buf *buf, unsigned int base, unsigned int *aclcnt, if (xdr_decode_word(buf, base, &entries) || entries > NFS_ACL_MAX_ENTRIES) return -EINVAL; + nfsacl_desc.desc.array_maxlen = entries; err = xdr_decode_array2(buf, base + 4, &nfsacl_desc.desc); if (err) return err; diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h index 34ec3e8..23448d0 100644 --- a/include/linux/sunrpc/xdr.h +++ b/include/linux/sunrpc/xdr.h @@ -177,6 +177,7 @@ typedef int (*xdr_xcode_elem_t)(struct xdr_array2_desc *desc, void *elem); struct xdr_array2_desc { unsigned int elem_size; unsigned int array_len; + unsigned int array_maxlen; xdr_xcode_elem_t xcode; }; diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c index 8a4d9c1..fde16f4 100644 --- a/net/sunrpc/xdr.c +++ b/net/sunrpc/xdr.c @@ -993,6 +993,7 @@ xdr_xcode_array2(struct xdr_buf *buf, unsigned int base, return -EINVAL; } else { if (xdr_decode_word(buf, base, &desc->array_len) != 0 || + desc->array_len > desc->array_maxlen || (unsigned long) base + 4 + desc->array_len * desc->elem_size > buf->len) return -EINVAL; |