diff options
author | J. Bruce Fields <bfields@citi.umich.edu> | 2008-08-29 19:18:45 -0400 |
---|---|---|
committer | J. Bruce Fields <bfields@citi.umich.edu> | 2008-09-01 14:24:24 -0400 |
commit | 91b80969ba466ba4b915a4a1d03add8c297add3f (patch) | |
tree | 2e35e071d4faa5a57ab6ed4d74cd3ef686e1ba91 | |
parent | 27df6f25ff218072e0e879a96beeb398a79cdbc8 (diff) | |
download | linux-stable-91b80969ba466ba4b915a4a1d03add8c297add3f.tar.gz linux-stable-91b80969ba466ba4b915a4a1d03add8c297add3f.tar.bz2 linux-stable-91b80969ba466ba4b915a4a1d03add8c297add3f.zip |
nfsd: fix buffer overrun decoding NFSv4 acl
The array we kmalloc() here is not large enough.
Thanks to Johann Dahm and David Richter for bug report and testing.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Cc: David Richter <richterd@citi.umich.edu>
Tested-by: Johann Dahm <jdahm@umich.edu>
-rw-r--r-- | fs/nfsd/nfs4acl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c index b6ed38380ab8..54b8b4140c8f 100644 --- a/fs/nfsd/nfs4acl.c +++ b/fs/nfsd/nfs4acl.c @@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt) * enough space for either: */ alloc = sizeof(struct posix_ace_state_array) - + cnt*sizeof(struct posix_ace_state); + + cnt*sizeof(struct posix_user_ace_state); state->users = kzalloc(alloc, GFP_KERNEL); if (!state->users) return -ENOMEM; |