Re: Potential xdr_xcode_array2 security issue (was: Re: [PATCH] RPC: Encode and decode arbitrary XDR arrays)
From: Andreas Gruenbacher
Date: Thu Jun 23 2005 - 05:16:45 EST
On Thursday 23 June 2005 07:48, Florian Weimer wrote:
> This looks suspiciously like CVE-2002-0391.
Thanks, Florian. How about the attached patch?
Cheers,
Andreas.
From: Andreas Gruenbacher <agruen@xxxxxxx>
Subject: Overflow in xdr input validation
The bounds check in xdr_xcode_array2 can overflow. Reported by
Florian Weimer <fw@xxxxxxxxxxxxx>.
Signed-off-by: Andreas Gruenbacher <agruen@xxxxxxx>
Index: linux-2.6.5/net/sunrpc/xdr.c
===================================================================
--- linux-2.6.5.orig/net/sunrpc/xdr.c
+++ linux-2.6.5/net/sunrpc/xdr.c
@@ -989,8 +989,7 @@ xdr_xcode_array2(struct xdr_buf *buf, un
return -EINVAL;
} else {
if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
- (unsigned long) base + 4 + desc->array_len *
- desc->elem_size > buf->len)
+ desc->array_len > (buf->len - base - 4) / desc->elem_size)
return -EINVAL;
}
base += 4;
@@ -1158,8 +1157,8 @@ int
xdr_encode_array2(struct xdr_buf *buf, unsigned int base,
struct xdr_array2_desc *desc)
{
- if ((unsigned long) base + 4 + desc->array_len * desc->elem_size >
- buf->head->iov_len + buf->page_len + buf->tail->iov_len)
+ if (buf->head->iov_len + buf->page_len + buf->tail->iov_len -
+ base < desc->array_len * desc->elem_size + 4)
return -EINVAL;
return xdr_xcode_array2(buf, base, desc, 1);