diff options
| author | Stefan Hajnoczi <stefanha@redhat.com> | 2016-02-18 18:55:54 +0000 |
|---|---|---|
| committer | Sasha Levin <sasha.levin@oracle.com> | 2016-03-08 01:14:06 -0500 |
| commit | 7459f09bc5bd0f9beb22aa7643e2d5476431164e (patch) | |
| tree | dd03ad00cef15bdf2e7a3802f265456c44384868 /net | |
| parent | ae5a9780d7bee99a2968abd95ec910f31a1e82bf (diff) | |
| download | linux-stable-7459f09bc5bd0f9beb22aa7643e2d5476431164e.tar.gz linux-stable-7459f09bc5bd0f9beb22aa7643e2d5476431164e.tar.bz2 linux-stable-7459f09bc5bd0f9beb22aa7643e2d5476431164e.zip | |
sunrpc/cache: fix off-by-one in qword_get()
[ Upstream commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 ]
The qword_get() function NUL-terminates its output buffer. If the input
string is in hex format \xXXXX... and the same length as the output
buffer, there is an off-by-one:
int qword_get(char **bpp, char *dest, int bufsize)
{
...
while (len < bufsize) {
...
*dest++ = (h << 4) | l;
len++;
}
...
*dest = '\0';
return len;
}
This patch ensures the NUL terminator doesn't fall outside the output
buffer.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/sunrpc/cache.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c index 48f14003af10..14d38ec5e53d 100644 --- a/net/sunrpc/cache.c +++ b/net/sunrpc/cache.c @@ -1230,7 +1230,7 @@ int qword_get(char **bpp, char *dest, int bufsize) if (bp[0] == '\\' && bp[1] == 'x') { /* HEX STRING */ bp += 2; - while (len < bufsize) { + while (len < bufsize - 1) { int h, l; h = hex_to_bin(bp[0]); |