diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2015-02-24 18:34:01 +0300 |
---|---|---|
committer | J. Bruce Fields <bfields@redhat.com> | 2015-02-26 15:40:16 -0500 |
commit | 76cb4be993c03bf9ec65a58b13f12c679bb041e4 (patch) | |
tree | 03b3d028748f40de41ec8a71a83524e77f758a9d /net/sunrpc/auth_gss/svcauth_gss.c | |
parent | c876486be17aeefe0da569f3d111cbd8de6f675d (diff) | |
download | talos-obmc-linux-76cb4be993c03bf9ec65a58b13f12c679bb041e4.tar.gz talos-obmc-linux-76cb4be993c03bf9ec65a58b13f12c679bb041e4.zip |
sunrpc: integer underflow in rsc_parse()
If we call groups_alloc() with invalid values then it's might lead to
memory corruption. For example, with a negative value then we might not
allocate enough for sizeof(struct group_info).
(We're doing this in the caller for consistency with other callers of
groups_alloc(). The other alternative might be to move the check out of
all the callers into groups_alloc().)
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Diffstat (limited to 'net/sunrpc/auth_gss/svcauth_gss.c')
-rw-r--r-- | net/sunrpc/auth_gss/svcauth_gss.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index 224a82f24d3c..1095be9c80ab 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -463,6 +463,8 @@ static int rsc_parse(struct cache_detail *cd, /* number of additional gid's */ if (get_int(&mesg, &N)) goto out; + if (N < 0 || N > NGROUPS_MAX) + goto out; status = -ENOMEM; rsci.cred.cr_group_info = groups_alloc(N); if (rsci.cred.cr_group_info == NULL) |