2022-02-24 19:20:27

by Steve Dickson

[permalink] [raw]
Subject: [PATCH] mountd: Fix potential data corrupter

Commit 9c99b463 typecast an uint into a int
to fix a Coverity warning. Potentially this
could cause a very large rogue value to be
negative allow the rouge value to index into
a table causing corruption.

A check has been added to detect this type
of situation.

Signed-off-by: Steve Dickson <[email protected]>
---
support/nfs/rpcdispatch.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/support/nfs/rpcdispatch.c b/support/nfs/rpcdispatch.c
index f7c27c98..7329f419 100644
--- a/support/nfs/rpcdispatch.c
+++ b/support/nfs/rpcdispatch.c
@@ -26,12 +26,13 @@ rpc_dispatch(struct svc_req *rqstp, SVCXPRT *transp,
void *argp, void *resp)
{
struct rpc_dentry *dent;
+ int rq_vers = (int)rqstp->rq_vers;

- if (((int)rqstp->rq_vers) > nvers) {
+ if (rq_vers < 1 || rq_vers > nvers) {
svcerr_progvers(transp, 1, nvers);
return;
}
- dtable += (rqstp->rq_vers - 1);
+ dtable += (rq_vers - 1);
if (rqstp->rq_proc > dtable->nproc) {
svcerr_noproc(transp);
return;
--
2.34.1


2022-02-28 20:29:56

by Steve Dickson

[permalink] [raw]
Subject: Re: [PATCH] mountd: Fix potential data corrupter



On 2/24/22 2:06 PM, Steve Dickson wrote:
> Commit 9c99b463 typecast an uint into a int
> to fix a Coverity warning. Potentially this
> could cause a very large rogue value to be
> negative allow the rouge value to index into
> a table causing corruption.
>
> A check has been added to detect this type
> of situation.
>
> Signed-off-by: Steve Dickson <[email protected]>
Committed... (tag: nfs-utils-2-6-2-rc3)
With the addition of
Reported-by: Richard Weinberger <[email protected]>

steved.
> ---
> support/nfs/rpcdispatch.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/support/nfs/rpcdispatch.c b/support/nfs/rpcdispatch.c
> index f7c27c98..7329f419 100644
> --- a/support/nfs/rpcdispatch.c
> +++ b/support/nfs/rpcdispatch.c
> @@ -26,12 +26,13 @@ rpc_dispatch(struct svc_req *rqstp, SVCXPRT *transp,
> void *argp, void *resp)
> {
> struct rpc_dentry *dent;
> + int rq_vers = (int)rqstp->rq_vers;
>
> - if (((int)rqstp->rq_vers) > nvers) {
> + if (rq_vers < 1 || rq_vers > nvers) {
> svcerr_progvers(transp, 1, nvers);
> return;
> }
> - dtable += (rqstp->rq_vers - 1);
> + dtable += (rq_vers - 1);
> if (rqstp->rq_proc > dtable->nproc) {
> svcerr_noproc(transp);
> return;