| From bfields@citi.umich.edu Wed Sep 3 09:39:51 2008 |
| From: "J. Bruce Fields" <bfields@citi.umich.edu> |
| Date: Mon, 1 Sep 2008 14:51:02 -0400 |
| Subject: nfsd: fix buffer overrun decoding NFSv4 acl |
| To: stable@kernel.org |
| Cc: linux-nfs@vger.kernel.org, "J. Bruce Fields" <bfields@citi.umich.edu>, linux-kernel@vger.kernel.org, David Richter <richterd@citi.umich.edu> |
| Message-ID: <1220295062-10957-2-git-send-email-bfields@citi.umich.edu> |
| |
| From: J. Bruce Fields <bfields@citi.umich.edu> |
| |
| commit 91b80969ba466ba4b915a4a1d03add8c297add3f upstream |
| |
| The array we kmalloc() here is not large enough. |
| |
| Thanks to Johann Dahm and David Richter for bug report and testing. |
| |
| Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> |
| Cc: David Richter <richterd@citi.umich.edu> |
| Tested-by: Johann Dahm <jdahm@umich.edu> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| fs/nfsd/nfs4acl.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/fs/nfsd/nfs4acl.c |
| +++ b/fs/nfsd/nfs4acl.c |
| @@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state |
| * enough space for either: |
| */ |
| alloc = sizeof(struct posix_ace_state_array) |
| - + cnt*sizeof(struct posix_ace_state); |
| + + cnt*sizeof(struct posix_user_ace_state); |
| state->users = kzalloc(alloc, GFP_KERNEL); |
| if (!state->users) |
| return -ENOMEM; |