2008-09-03 17:46:45

by Greg KH

[permalink] [raw]
Subject: [patch 39/42] nfsd: fix buffer overrun decoding NFSv4 acl

2.6.26-stable review patch. If anyone has any objections, please let us know.

------------------

From: J. Bruce Fields <[email protected]>

commit 91b80969ba466ba4b915a4a1d03add8c297add3f upstream

The array we kmalloc() here is not large enough.

Thanks to Johann Dahm and David Richter for bug report and testing.

Signed-off-by: J. Bruce Fields <[email protected]>
Cc: David Richter <[email protected]>
Tested-by: Johann Dahm <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/nfsd/nfs4acl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfsd/nfs4acl.c
+++ b/fs/nfsd/nfs4acl.c
@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state
* enough space for either:
*/
alloc = sizeof(struct posix_ace_state_array)
- + cnt*sizeof(struct posix_ace_state);
+ + cnt*sizeof(struct posix_user_ace_state);
state->users = kzalloc(alloc, GFP_KERNEL);
if (!state->users)
return -ENOMEM;

--