SUNRPC: Fix integer overflow in decode_rc_list()

[ Upstream commit 6dbf1f341b6b35bcc20ff95b6b315e509f6c5369 ] The math in "rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t)" could have an integer overflow. Add bounds checking on rc_list->rcl_nrefcalls to fix that. Fixes: 4aece6a19cf7 ("nfs41: cb_sequence xdr implementation") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Dan Carpenter <dan.carpenter@linaro.org> 2024-09-19 11:50:33 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-10-17 16:08:33 +0300
commit: 64f1b4922b6e042473e4980a06a2d908bdb6943f (patch)
tree: 1eb74c0cc4084c17ac384ad52cd24b0885c79044
parent: 1fc13f6a41665217480b977f31cdddc47646a3c5 (diff)
download: linux-64f1b4922b6e042473e4980a06a2d908bdb6943f.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
index db69fc267c9a..c8f5a0555ad2 100644
--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -372,6 +372,8 @@ static __be32 decode_rc_list(struct xdr_stream *xdr,
 
 	rc_list->rcl_nrefcalls = ntohl(*p++);
 	if (rc_list->rcl_nrefcalls) {
+		if (unlikely(rc_list->rcl_nrefcalls > xdr->buf->len))
+			goto out;
 		p = xdr_inline_decode(xdr,
 			     rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t));
 		if (unlikely(p == NULL))
author	Dan Carpenter <dan.carpenter@linaro.org>	2024-09-19 11:50:33 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-10-17 16:08:33 +0300
commit	64f1b4922b6e042473e4980a06a2d908bdb6943f (patch)
tree	1eb74c0cc4084c17ac384ad52cd24b0885c79044
parent	1fc13f6a41665217480b977f31cdddc47646a3c5 (diff)
download	linux-64f1b4922b6e042473e4980a06a2d908bdb6943f.tar.xz