Mercurial > illumos > illumos-gate
changeset 3933:ea83e56013c8
6534147 Vulnerability in the NFS ACL code may lead to kernel panic
author | vv149972 |
---|---|
date | Fri, 30 Mar 2007 07:16:06 -0700 |
parents | efce29b04ab4 |
children | 273f6bb7e684 |
files | usr/src/uts/common/fs/nfs/nfs_acl_xdr.c |
diffstat | 1 files changed, 15 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/uts/common/fs/nfs/nfs_acl_xdr.c Fri Mar 30 04:14:30 2007 -0700 +++ b/usr/src/uts/common/fs/nfs/nfs_acl_xdr.c Fri Mar 30 07:16:06 2007 -0700 @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -99,8 +99,14 @@ if (!xdr_array(xdrs, (char **)&objp->vsa_aclentp, &count, NFS_ACL_MAX_ENTRIES, sizeof (aclent_t), (xdrproc_t)xdr_aclent)) return (FALSE); - if (count != 0 && count != (uint_t)objp->vsa_aclcnt) + if (count != 0 && count != (uint_t)objp->vsa_aclcnt) { + /* + * Assign the actual array size to vsa_aclcnt before + * aborting on error + */ + objp->vsa_aclcnt = (int)count; return (FALSE); + } if (!xdr_int(xdrs, &objp->vsa_dfaclcnt)) return (FALSE); if (objp->vsa_dfaclentp != NULL) @@ -110,8 +116,14 @@ if (!xdr_array(xdrs, (char **)&objp->vsa_dfaclentp, &count, NFS_ACL_MAX_ENTRIES, sizeof (aclent_t), (xdrproc_t)xdr_aclent)) return (FALSE); - if (count != 0 && count != (uint_t)objp->vsa_dfaclcnt) + if (count != 0 && count != (uint_t)objp->vsa_dfaclcnt) { + /* + * Assign the actual array size to vsa_dfaclcnt before + * aborting on error + */ + objp->vsa_dfaclcnt = (int)count; return (FALSE); + } return (TRUE); }