1From cf3a4f1e86ecdd24f87b615051b49d8e1968c230 Mon Sep 17 00:00:00 2001 2From: "liucheng (G)" <liucheng32@huawei.com> 3Date: Thu, 29 Aug 2019 13:47:54 +0000 4Subject: [PATCH] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated 5 length at nfs_readlink_reply 6MIME-Version: 1.0 7Content-Type: text/plain; charset=utf8 8Content-Transfer-Encoding: 8bit 9 10This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply. 11 12Signed-off-by: Cheng Liu <liucheng32@huawei.com> 13Reported-by: FermÃn Serna <fermin@semmle.com> 14Acked-by: Joe Hershberger <joe.hershberger@ni.com> 15--- 16 net/nfs.c | 3 +++ 17 1 file changed, 3 insertions(+) 18 19diff --git a/net/nfs.c b/net/nfs.c 20index 11941fa..915acd9 100644 21--- a/net/nfs.c 22+++ b/net/nfs.c 23@@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len) 24 /* new path length */ 25 rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]); 26 27+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len) 28+ return -NFS_RPC_DROP; 29+ 30 if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') { 31 int pathlen; 32 33-- 341.9.1 35 36