From 4d2f9f113297501865446fa115de5cfad88bd852 Mon Sep 17 00:00:00 2001
From: Peter Lieven <pl@kamp.de>
Date: Sat, 15 Mar 2014 14:20:29 +0100
Subject: [PATCH] fix potential overflow in nfs_pread_mcb

Signed-off-by: Peter Lieven <pl@kamp.de>
---
 lib/libnfs.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/libnfs.c b/lib/libnfs.c
index 7946f2f..4f0650f 100644
--- a/lib/libnfs.c
+++ b/lib/libnfs.c
@@ -1588,9 +1588,14 @@ static void nfs_pread_mcb(struct rpc_context *rpc, int status, void *command_dat
 			data->error = 1;
 		} else  {
 			if (res->READ3res_u.resok.count > 0) {
-				memcpy(&data->buffer[mdata->offset - data->start_offset], res->READ3res_u.resok.data.data_val, res->READ3res_u.resok.count);
-				if ((unsigned)data->max_offset < mdata->offset + res->READ3res_u.resok.count) {
-					data->max_offset = mdata->offset + res->READ3res_u.resok.count;
+				if (res->READ3res_u.resok.count <= mdata->count) {
+					memcpy(&data->buffer[mdata->offset - data->start_offset], res->READ3res_u.resok.data.data_val, res->READ3res_u.resok.count);
+					if ((unsigned)data->max_offset < mdata->offset + res->READ3res_u.resok.count) {
+						data->max_offset = mdata->offset + res->READ3res_u.resok.count;
+					}
+				} else {
+					rpc_set_error(nfs->rpc, "NFS: Read overflow. Server has sent more data than requested!");
+					data->error = 1;
 				}
 			}
 		}
-- 
2.34.1