Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e65fe3976f594603ed7b1b4a99d3e9b867f573ea
Commit:     e65fe3976f594603ed7b1b4a99d3e9b867f573ea
Parent:     d66968f207b6402fd12c20145cb31dbe3608979c
Author:     Chuck Lever <[EMAIL PROTECTED]>
AuthorDate: Tue Sep 11 18:00:31 2007 -0400
Committer:  Trond Myklebust <[EMAIL PROTECTED]>
CommitDate: Tue Oct 9 17:16:48 2007 -0400

    SUNRPC: Make rpcb_decode_getaddr more picky about universal addresses
    
    Add better sanity checking of server replies to the GETVERSADDR reply
    decoder.  Change the error return code: EIO is what other XDR decoding
    routines return if there is a failure while decoding.
    
    Signed-off-by: Chuck Lever <[EMAIL PROTECTED]>
    Signed-off-by: Trond Myklebust <[EMAIL PROTECTED]>
---
 net/sunrpc/rpcb_clnt.c |   28 +++++++++++++++++++++++-----
 1 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c
index f88ab90..34738c5 100644
--- a/net/sunrpc/rpcb_clnt.c
+++ b/net/sunrpc/rpcb_clnt.c
@@ -528,12 +528,19 @@ static int rpcb_decode_getaddr(struct rpc_rqst *req, 
__be32 *p,
 
        *portp = 0;
        addr_len = ntohl(*p++);
-       if (addr_len > RPCB_MAXADDRLEN)                 /* sanity */
-               return -EINVAL;
-
-       dprintk("RPC:       rpcb_decode_getaddr returned string: '%s'\n",
-                       (char *) p);
 
+       /*
+        * Simple sanity check.  The smallest possible universal
+        * address is an IPv4 address string containing 11 bytes.
+        */
+       if (addr_len < 11 || addr_len > RPCB_MAXADDRLEN)
+               goto out_err;
+
+       /*
+        * Start at the end and walk backwards until the first dot
+        * is encountered.  When the second dot is found, we have
+        * both parts of the port number.
+        */
        addr = (char *)p;
        val = 0;
        first = 1;
@@ -555,8 +562,19 @@ static int rpcb_decode_getaddr(struct rpc_rqst *req, 
__be32 *p,
                }
        }
 
+       /*
+        * Simple sanity check.  If we never saw a dot in the reply,
+        * then this was probably just garbage.
+        */
+       if (first)
+               goto out_err;
+
        dprintk("RPC:       rpcb_decode_getaddr port=%u\n", *portp);
        return 0;
+
+out_err:
+       dprintk("RPC:       rpcbind server returned malformed reply\n");
+       return -EIO;
 }
 
 #define RPCB_program_sz                (1u)
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to