[SECURITY] Re: NFSv3 for Linux 2.2.14: new release

• Next message: Paul Schulz: "An nfs(?) root partitian Oops.."
• Previous message: Andrea Arcangeli: "Re: memory handling in pre5/pre6"
• In reply to: Trond Myklebust: "NFSv3 for Linux 2.2.14: new release"
• Next in thread: G. Hugh Song: "Re: NFSv3 for Linux 2.2.14: new release"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

In the recent NFS merges into 2.3.99-pre, I noticed what appears (by
inspection) to be a serious security flaw. Please examine the following
code (patch) fragment

+xdr_decode_fhstatus3(struct rpc_rqst *req, u32 *p, struct mnt_fhstatus *res)
+{
+ memset((u8 *)res, 0, sizeof(*res));
+ if ((res->status = ntohl(*p++)) == 0) {
+ int size = ntohl(*p++);
+ if (size <= NFS3_FHSIZE) {
+ res->fh->size = size;
+ memcpy(res->fh->data, p, res->fh->size);
+ } else
+ res->status = -EBADHANDLE;
+ }

"int size" should definitely be unsigned! Otherwise, if the value
"-1" arrives over the untrusted network, it will pass the NFS3_FHSIZE
check and proceed to attempt a memcpy() of size (unsigned)-1,
i.e. 4Gb. This will upset the kernel :)

Cheers
Chris

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Paul Schulz: "An nfs(?) root partitian Oops.."
• Previous message: Andrea Arcangeli: "Re: memory handling in pre5/pre6"
• In reply to: Trond Myklebust: "NFSv3 for Linux 2.2.14: new release"
• Next in thread: G. Hugh Song: "Re: NFSv3 for Linux 2.2.14: new release"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:16 EST