From: Peter Lieven Date: Sat, 15 Mar 2014 13:20:29 +0000 (+0100) Subject: fix potential overflow in nfs_pread_mcb X-Git-Tag: upstream/1.9.6^2~76^2~6 X-Git-Url: https://git.piment-noir.org/?a=commitdiff_plain;ds=sidebyside;h=4d2f9f113297501865446fa115de5cfad88bd852;p=deb_libnfs.git fix potential overflow in nfs_pread_mcb Signed-off-by: Peter Lieven --- diff --git a/lib/libnfs.c b/lib/libnfs.c index 7946f2f..4f0650f 100644 --- a/lib/libnfs.c +++ b/lib/libnfs.c @@ -1588,9 +1588,14 @@ static void nfs_pread_mcb(struct rpc_context *rpc, int status, void *command_dat data->error = 1; } else { if (res->READ3res_u.resok.count > 0) { - memcpy(&data->buffer[mdata->offset - data->start_offset], res->READ3res_u.resok.data.data_val, res->READ3res_u.resok.count); - if ((unsigned)data->max_offset < mdata->offset + res->READ3res_u.resok.count) { - data->max_offset = mdata->offset + res->READ3res_u.resok.count; + if (res->READ3res_u.resok.count <= mdata->count) { + memcpy(&data->buffer[mdata->offset - data->start_offset], res->READ3res_u.resok.data.data_val, res->READ3res_u.resok.count); + if ((unsigned)data->max_offset < mdata->offset + res->READ3res_u.resok.count) { + data->max_offset = mdata->offset + res->READ3res_u.resok.count; + } + } else { + rpc_set_error(nfs->rpc, "NFS: Read overflow. Server has sent more data than requested!"); + data->error = 1; } } }