nfsd: fix buffer overrun decoding NFSv4 acl
authorJ. Bruce Fields <bfields@citi.umich.edu>
Fri, 29 Aug 2008 23:18:45 +0000 (19:18 -0400)
committerJ. Bruce Fields <bfields@citi.umich.edu>
Mon, 1 Sep 2008 18:24:24 +0000 (14:24 -0400)
The array we kmalloc() here is not large enough.

Thanks to Johann Dahm and David Richter for bug report and testing.

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Cc: David Richter <richterd@citi.umich.edu>
Tested-by: Johann Dahm <jdahm@umich.edu>
fs/nfsd/nfs4acl.c

index b6ed38380ab805179f8354ab9454fc533e50da53..54b8b4140c8f6e32203363bd9b53e8aa2ed09f7e 100644 (file)
@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt)
         * enough space for either:
         */
        alloc = sizeof(struct posix_ace_state_array)
-               + cnt*sizeof(struct posix_ace_state);
+               + cnt*sizeof(struct posix_user_ace_state);
        state->users = kzalloc(alloc, GFP_KERNEL);
        if (!state->users)
                return -ENOMEM;