summaryrefslogtreecommitdiff
path: root/net/sunrpc/auth_gss
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2015-02-24 18:34:01 +0300
committerJ. Bruce Fields <bfields@redhat.com>2015-02-26 23:40:16 +0300
commit76cb4be993c03bf9ec65a58b13f12c679bb041e4 (patch)
tree03b3d028748f40de41ec8a71a83524e77f758a9d /net/sunrpc/auth_gss
parentc876486be17aeefe0da569f3d111cbd8de6f675d (diff)
downloadlinux-76cb4be993c03bf9ec65a58b13f12c679bb041e4.tar.xz
sunrpc: integer underflow in rsc_parse()
If we call groups_alloc() with invalid values then it's might lead to memory corruption. For example, with a negative value then we might not allocate enough for sizeof(struct group_info). (We're doing this in the caller for consistency with other callers of groups_alloc(). The other alternative might be to move the check out of all the callers into groups_alloc().) Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Simo Sorce <simo@redhat.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Diffstat (limited to 'net/sunrpc/auth_gss')
-rw-r--r--net/sunrpc/auth_gss/svcauth_gss.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 224a82f24d3c..1095be9c80ab 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -463,6 +463,8 @@ static int rsc_parse(struct cache_detail *cd,
/* number of additional gid's */
if (get_int(&mesg, &N))
goto out;
+ if (N < 0 || N > NGROUPS_MAX)
+ goto out;
status = -ENOMEM;
rsci.cred.cr_group_info = groups_alloc(N);
if (rsci.cred.cr_group_info == NULL)