LinuxLists.cc - [nfs-utils PATCH] nfsdcld: fix possible buffer overrun in sqlite_iterate

2020-04-13 15:34:33

Subject: [nfs-utils PATCH] nfsdcld: fix possible buffer overrun in sqlite_iterate_recovery()

Prior to release, cp_data was originally intended to hold the gss
principal string. When it was changed to hold a hash of the principal
instead, the size of the field was changed but the 'n' arg of the
memcpy() in sqlite_iterate_recovery() was not.

Signed-off-by: Scott Mayhew <[email protected]>
---
utils/nfsdcld/sqlite.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/nfsdcld/sqlite.c b/utils/nfsdcld/sqlite.c
index 09518e2..6666c86 100644
--- a/utils/nfsdcld/sqlite.c
+++ b/utils/nfsdcld/sqlite.c
@@ -1337,7 +1337,7 @@ sqlite_iterate_recovery(int (*cb)(struct cld_client *clnt), struct cld_client *c
cmsg->cm_u.cm_clntinfo.cc_name.cn_len = sqlite3_column_bytes(stmt, 0);
if (sqlite3_column_bytes(stmt, 1) > 0) {
memcpy(&cmsg->cm_u.cm_clntinfo.cc_princhash.cp_data,
- sqlite3_column_blob(stmt, 1), NFS4_OPAQUE_LIMIT);
+ sqlite3_column_blob(stmt, 1), SHA256_DIGEST_SIZE);
cmsg->cm_u.cm_clntinfo.cc_princhash.cp_len = sqlite3_column_bytes(stmt, 1);
}
#else
--
2.25.1

2020-04-14 16:14:36

by Steve Dickson

[permalink] [raw]

Subject: Re: [nfs-utils PATCH] nfsdcld: fix possible buffer overrun in sqlite_iterate_recovery()

On 4/13/20 10:44 AM, Scott Mayhew wrote:
> Prior to release, cp_data was originally intended to hold the gss
> principal string. When it was changed to hold a hash of the principal
> instead, the size of the field was changed but the 'n' arg of the
> memcpy() in sqlite_iterate_recovery() was not.
>
> Signed-off-by: Scott Mayhew <[email protected]>
Committed... (tag: nfs-utils-2-4-4-rc3)

steved.
> ---
> utils/nfsdcld/sqlite.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/utils/nfsdcld/sqlite.c b/utils/nfsdcld/sqlite.c
> index 09518e2..6666c86 100644
> --- a/utils/nfsdcld/sqlite.c
> +++ b/utils/nfsdcld/sqlite.c
> @@ -1337,7 +1337,7 @@ sqlite_iterate_recovery(int (*cb)(struct cld_client *clnt), struct cld_client *c
> cmsg->cm_u.cm_clntinfo.cc_name.cn_len = sqlite3_column_bytes(stmt, 0);
> if (sqlite3_column_bytes(stmt, 1) > 0) {
> memcpy(&cmsg->cm_u.cm_clntinfo.cc_princhash.cp_data,
> - sqlite3_column_blob(stmt, 1), NFS4_OPAQUE_LIMIT);
> + sqlite3_column_blob(stmt, 1), SHA256_DIGEST_SIZE);
> cmsg->cm_u.cm_clntinfo.cc_princhash.cp_len = sqlite3_column_bytes(stmt, 1);
> }
> #else
>