This patch tries to fix a CVE-2019-14196 fix
In if-condition, where NFSV2_FLAG is checked, memcpy call is performed to transfer a reply data of NFS_FHSIZE size. Since the data field in struct rpc_t structure has the size of (1024 / 4) + 26 = 282, while NFS_FHSIZE is only 32, it won't lead to out-of-bounds write (considering the size of data array won't change in the future). So the memcpy call will copy exactly NFS_FHSIZE (32) bytes from (rpc_pkt.u.reply.data + 1).
Signed-off-by: gerbert gerbert@users.noreply.github.com --- net/nfs.c | 2 -- 1 file changed, 2 deletions(-)
diff --git a/net/nfs.c b/net/nfs.c index 9152ab742e..98943dde5e 100644 --- a/net/nfs.c +++ b/net/nfs.c @@ -566,8 +566,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) }
if (supported_nfs_versions & NFSV2_FLAG) { - if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + NFS_FHSIZE) > len) - return -NFS_RPC_DROP; memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE); } else { /* NFSV3_FLAG */ filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);