mountd: Fix potential data corrupternfs-utils-2-6-2-rc3

Commit 9c99b463 typecast an uint into a int to fix a Coverity warning. Potentially this could cause a very large rogue value to be negative allow the rouge value to index into a table causing corruption. A check has been added to detect this type of situation. Reported-by: Richard Weinberger <richard@nod.at> Signed-off-by: Steve Dickson <steved@redhat.com>
author: Steve Dickson <steved@redhat.com> 2022-02-24 14:02:16 -0500
committer: Steve Dickson <steved@redhat.com> 2022-02-28 15:03:25 -0500
commit: 9df1dbe1002c732486532a46705e9b07057df69f (patch)
tree: 5a9ea234573e05b0bb74756801a7ab236b056e73
parent: 7f8463fe702174bd613df9d308cc899af25ae02e (diff)
download: nfs-utils-9df1dbe1002c732486532a46705e9b07057df69f.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/support/nfs/rpcdispatch.c b/support/nfs/rpcdispatch.c
index f7c27c9..7329f41 100644
--- a/support/nfs/rpcdispatch.c
+++ b/support/nfs/rpcdispatch.c
@@ -26,12 +26,13 @@ rpc_dispatch(struct svc_req *rqstp, SVCXPRT *transp,
 			void *argp, void *resp)
 {
 	struct rpc_dentry	*dent;
+	int rq_vers = (int)rqstp->rq_vers;
 
-	if (((int)rqstp->rq_vers) > nvers) {
+	if (rq_vers < 1 || rq_vers > nvers) {
 		svcerr_progvers(transp, 1, nvers);
 		return;
 	}
-	dtable += (rqstp->rq_vers - 1);
+	dtable += (rq_vers - 1);
 	if (rqstp->rq_proc > dtable->nproc) {
 		svcerr_noproc(transp);
 		return;
author	Steve Dickson <steved@redhat.com>	2022-02-24 14:02:16 -0500
committer	Steve Dickson <steved@redhat.com>	2022-02-28 15:03:25 -0500
commit	9df1dbe1002c732486532a46705e9b07057df69f (patch)
tree	5a9ea234573e05b0bb74756801a7ab236b056e73
parent	7f8463fe702174bd613df9d308cc899af25ae02e (diff)
download	nfs-utils-9df1dbe1002c732486532a46705e9b07057df69f.tar.gz