diff options
author | Steve Dickson <steved@redhat.com> | 2022-02-24 14:02:16 -0500 |
---|---|---|
committer | Steve Dickson <steved@redhat.com> | 2022-02-28 15:03:25 -0500 |
commit | 9df1dbe1002c732486532a46705e9b07057df69f (patch) | |
tree | 5a9ea234573e05b0bb74756801a7ab236b056e73 | |
parent | 7f8463fe702174bd613df9d308cc899af25ae02e (diff) | |
download | nfs-utils-9df1dbe1002c732486532a46705e9b07057df69f.tar.gz |
mountd: Fix potential data corrupternfs-utils-2-6-2-rc3
Commit 9c99b463 typecast an uint into a int
to fix a Coverity warning. Potentially this
could cause a very large rogue value to be
negative allow the rouge value to index into
a table causing corruption.
A check has been added to detect this type
of situation.
Reported-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Steve Dickson <steved@redhat.com>
-rw-r--r-- | support/nfs/rpcdispatch.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/support/nfs/rpcdispatch.c b/support/nfs/rpcdispatch.c index f7c27c9..7329f41 100644 --- a/support/nfs/rpcdispatch.c +++ b/support/nfs/rpcdispatch.c @@ -26,12 +26,13 @@ rpc_dispatch(struct svc_req *rqstp, SVCXPRT *transp, void *argp, void *resp) { struct rpc_dentry *dent; + int rq_vers = (int)rqstp->rq_vers; - if (((int)rqstp->rq_vers) > nvers) { + if (rq_vers < 1 || rq_vers > nvers) { svcerr_progvers(transp, 1, nvers); return; } - dtable += (rqstp->rq_vers - 1); + dtable += (rq_vers - 1); if (rqstp->rq_proc > dtable->nproc) { svcerr_noproc(transp); return; |