| Message ID | 20220224190604.291491-1-steved@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | mountd: Fix potential data corrupter | expand |
On 2/24/22 2:06 PM, Steve Dickson wrote: > Commit 9c99b463 typecast an uint into a int > to fix a Coverity warning. Potentially this > could cause a very large rogue value to be > negative allow the rouge value to index into > a table causing corruption. > > A check has been added to detect this type > of situation. > > Signed-off-by: Steve Dickson <steved@redhat.com> Committed... (tag: nfs-utils-2-6-2-rc3) With the addition of Reported-by: Richard Weinberger <richard@nod.at> steved. > --- > support/nfs/rpcdispatch.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/support/nfs/rpcdispatch.c b/support/nfs/rpcdispatch.c > index f7c27c98..7329f419 100644 > --- a/support/nfs/rpcdispatch.c > +++ b/support/nfs/rpcdispatch.c > @@ -26,12 +26,13 @@ rpc_dispatch(struct svc_req *rqstp, SVCXPRT *transp, > void *argp, void *resp) > { > struct rpc_dentry *dent; > + int rq_vers = (int)rqstp->rq_vers; > > - if (((int)rqstp->rq_vers) > nvers) { > + if (rq_vers < 1 || rq_vers > nvers) { > svcerr_progvers(transp, 1, nvers); > return; > } > - dtable += (rqstp->rq_vers - 1); > + dtable += (rq_vers - 1); > if (rqstp->rq_proc > dtable->nproc) { > svcerr_noproc(transp); > return;
diff --git a/support/nfs/rpcdispatch.c b/support/nfs/rpcdispatch.c index f7c27c98..7329f419 100644 --- a/support/nfs/rpcdispatch.c +++ b/support/nfs/rpcdispatch.c @@ -26,12 +26,13 @@ rpc_dispatch(struct svc_req *rqstp, SVCXPRT *transp, void *argp, void *resp) { struct rpc_dentry *dent; + int rq_vers = (int)rqstp->rq_vers; - if (((int)rqstp->rq_vers) > nvers) { + if (rq_vers < 1 || rq_vers > nvers) { svcerr_progvers(transp, 1, nvers); return; } - dtable += (rqstp->rq_vers - 1); + dtable += (rq_vers - 1); if (rqstp->rq_proc > dtable->nproc) { svcerr_noproc(transp); return;
Commit 9c99b463 typecast an uint into a int to fix a Coverity warning. Potentially this could cause a very large rogue value to be negative allow the rouge value to index into a table causing corruption. A check has been added to detect this type of situation. Signed-off-by: Steve Dickson <steved@redhat.com> --- support/nfs/rpcdispatch.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)