From 4d2f9f113297501865446fa115de5cfad88bd852 Mon Sep 17 00:00:00 2001 From: Peter Lieven Date: Sat, 15 Mar 2014 14:20:29 +0100 Subject: [PATCH] fix potential overflow in nfs_pread_mcb Signed-off-by: Peter Lieven --- lib/libnfs.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/libnfs.c b/lib/libnfs.c index 7946f2f..4f0650f 100644 --- a/lib/libnfs.c +++ b/lib/libnfs.c @@ -1588,9 +1588,14 @@ static void nfs_pread_mcb(struct rpc_context *rpc, int status, void *command_dat data->error = 1; } else { if (res->READ3res_u.resok.count > 0) { - memcpy(&data->buffer[mdata->offset - data->start_offset], res->READ3res_u.resok.data.data_val, res->READ3res_u.resok.count); - if ((unsigned)data->max_offset < mdata->offset + res->READ3res_u.resok.count) { - data->max_offset = mdata->offset + res->READ3res_u.resok.count; + if (res->READ3res_u.resok.count <= mdata->count) { + memcpy(&data->buffer[mdata->offset - data->start_offset], res->READ3res_u.resok.data.data_val, res->READ3res_u.resok.count); + if ((unsigned)data->max_offset < mdata->offset + res->READ3res_u.resok.count) { + data->max_offset = mdata->offset + res->READ3res_u.resok.count; + } + } else { + rpc_set_error(nfs->rpc, "NFS: Read overflow. Server has sent more data than requested!"); + data->error = 1; } } } -- 2.34.1