| Message ID | 20200413144435.1220985-1-smayhew@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [nfs-utils] nfsdcld: fix possible buffer overrun in sqlite_iterate_recovery() | expand |
On 4/13/20 10:44 AM, Scott Mayhew wrote: > Prior to release, cp_data was originally intended to hold the gss > principal string. When it was changed to hold a hash of the principal > instead, the size of the field was changed but the 'n' arg of the > memcpy() in sqlite_iterate_recovery() was not. > > Signed-off-by: Scott Mayhew <smayhew@redhat.com> Committed... (tag: nfs-utils-2-4-4-rc3) steved. > --- > utils/nfsdcld/sqlite.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/utils/nfsdcld/sqlite.c b/utils/nfsdcld/sqlite.c > index 09518e2..6666c86 100644 > --- a/utils/nfsdcld/sqlite.c > +++ b/utils/nfsdcld/sqlite.c > @@ -1337,7 +1337,7 @@ sqlite_iterate_recovery(int (*cb)(struct cld_client *clnt), struct cld_client *c > cmsg->cm_u.cm_clntinfo.cc_name.cn_len = sqlite3_column_bytes(stmt, 0); > if (sqlite3_column_bytes(stmt, 1) > 0) { > memcpy(&cmsg->cm_u.cm_clntinfo.cc_princhash.cp_data, > - sqlite3_column_blob(stmt, 1), NFS4_OPAQUE_LIMIT); > + sqlite3_column_blob(stmt, 1), SHA256_DIGEST_SIZE); > cmsg->cm_u.cm_clntinfo.cc_princhash.cp_len = sqlite3_column_bytes(stmt, 1); > } > #else >
diff --git a/utils/nfsdcld/sqlite.c b/utils/nfsdcld/sqlite.c index 09518e2..6666c86 100644 --- a/utils/nfsdcld/sqlite.c +++ b/utils/nfsdcld/sqlite.c @@ -1337,7 +1337,7 @@ sqlite_iterate_recovery(int (*cb)(struct cld_client *clnt), struct cld_client *c cmsg->cm_u.cm_clntinfo.cc_name.cn_len = sqlite3_column_bytes(stmt, 0); if (sqlite3_column_bytes(stmt, 1) > 0) { memcpy(&cmsg->cm_u.cm_clntinfo.cc_princhash.cp_data, - sqlite3_column_blob(stmt, 1), NFS4_OPAQUE_LIMIT); + sqlite3_column_blob(stmt, 1), SHA256_DIGEST_SIZE); cmsg->cm_u.cm_clntinfo.cc_princhash.cp_len = sqlite3_column_bytes(stmt, 1); } #else
Prior to release, cp_data was originally intended to hold the gss principal string. When it was changed to hold a hash of the principal instead, the size of the field was changed but the 'n' arg of the memcpy() in sqlite_iterate_recovery() was not. Signed-off-by: Scott Mayhew <smayhew@redhat.com> --- utils/nfsdcld/sqlite.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)