NFSv4: Check for buffer length in __nfs4_get_acl_uncached

Commit 1f1ea6c "NFSv4: Fix buffer overflow checking in
__nfs4_get_acl_uncached" accidently dropped the checking for too small
result buffer length.

If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount
supporting ACLs, the ACL has not been cached and the buffer suplied is
too short, we still copy the complete ACL, resulting in kernel and user
space memory corruption.

Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Cc: stable@kernel.org
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 5eec4429970c6e98af7a18732794c6fceaba4951..05e5f6f9f2b80b22fa306d33fcdd06c6540725f3 100644 (file)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3937,8 +3937,13 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
                goto out_free;
        }
        nfs4_write_cached_acl(inode, pages, res.acl_data_offset, res.acl_len);
-       if (buf)
+       if (buf) {
+               if (res.acl_len > buflen) {
+                       ret = -ERANGE;
+                       goto out_free;
+               }
                _copy_from_pages(buf, pages, res.acl_data_offset, res.acl_len);
+       }
 out_ok:
        ret = res.acl_len;
 out_free: