@@ -139,6 +139,12 @@ struct nfs4_acl * acl_nfs4_xattr_load(char *xattr_v, int xattr_size, u32 is_dir)
goto err1;
}
+ /*wholen should less than xattr_size*/
+ if (wholen > xattr_size) {
+ errno = EINVAL;
+ goto err1;
+ }
+
who = (char *) malloc((wholen+1) * sizeof(char));
if (who == NULL) {
errno = ENOMEM;
@@ -92,14 +92,14 @@ static int nfs4_getxattr(const char *path, void *value, size_t size)
res = getxattr(path, ACL_NFS4_XATTR, value, size);
if (res < -10000) {
- fprintf(stderr,"An internal NFS server error code (%d) was returned; this should never happen.\n",res);
+ fprintf(stderr, "An internal NFS server error code (%d) was returned; this should never happen.\n", res);
} else if (res < 0) {
if (errno == ENOATTR)
- fprintf(stderr,"Attribute not found on file.\n");
+ fprintf(stderr, "Attribute not found on file.\n");
else if (errno == EREMOTEIO)
- fprintf(stderr,"An NFS server error occurred.\n");
+ fprintf(stderr, "An NFS server error occurred.\n");
else if (errno == EOPNOTSUPP)
- fprintf(stderr,"Operation to request attribute not supported.\n");
+ fprintf(stderr, "Operation to request attribute not supported.\n");
else
perror("Failed getxattr operation");
}
nfsv4 server can return a very large who's len(eg. wholen = 62343534343) in an FATTR4_WORD0_ACL request.It can cause nfs4_getacl core dump when call 'malloc((wholen + 1) * sizeof(char))'. This patch checked if who's len bigger than xattr_size when getfacl. This patch also fixed some code style. Signed-off-by: Fan Chaoting <fanchaoting@cn.fujitsu.com> --- libnfs4acl/acl_nfs4_xattr_load.c | 6 ++++++ libnfs4acl/nfs4_acl_for_path.c | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) -- 1.7.1 -- -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html