Mercurial > illumos > illumos-gate

changeset 3933:ea83e56013c8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6534147 Vulnerability in the NFS ACL code may lead to kernel panic
author vv149972
date Fri, 30 Mar 2007 07:16:06 -0700
parents efce29b04ab4
children 273f6bb7e684
files usr/src/uts/common/fs/nfs/nfs_acl_xdr.c
diffstat 1 files changed, 15 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/uts/common/fs/nfs/nfs_acl_xdr.c	Fri Mar 30 04:14:30 2007 -0700
+++ b/usr/src/uts/common/fs/nfs/nfs_acl_xdr.c	Fri Mar 30 07:16:06 2007 -0700
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -99,8 +99,14 @@
 	if (!xdr_array(xdrs, (char **)&objp->vsa_aclentp, &count,
 	    NFS_ACL_MAX_ENTRIES, sizeof (aclent_t), (xdrproc_t)xdr_aclent))
 		return (FALSE);
-	if (count != 0 && count != (uint_t)objp->vsa_aclcnt)
+	if (count != 0 && count != (uint_t)objp->vsa_aclcnt) {
+		/*
+		 * Assign the actual array size to vsa_aclcnt before
+		 * aborting on error
+		 */
+		objp->vsa_aclcnt = (int)count;
 		return (FALSE);
+	}
 	if (!xdr_int(xdrs, &objp->vsa_dfaclcnt))
 		return (FALSE);
 	if (objp->vsa_dfaclentp != NULL)
@@ -110,8 +116,14 @@
 	if (!xdr_array(xdrs, (char **)&objp->vsa_dfaclentp, &count,
 	    NFS_ACL_MAX_ENTRIES, sizeof (aclent_t), (xdrproc_t)xdr_aclent))
 		return (FALSE);
-	if (count != 0 && count != (uint_t)objp->vsa_dfaclcnt)
+	if (count != 0 && count != (uint_t)objp->vsa_dfaclcnt) {
+		/*
+		 * Assign the actual array size to vsa_dfaclcnt before
+		 * aborting on error
+		 */
+		objp->vsa_dfaclcnt = (int)count;
 		return (FALSE);
+	}
 	return (TRUE);
 }