From: J. Bruce Fields <bfields@citi.umich.edu>
Date: Mon, 1 Sep 2008 18:51:02 +0000 (-0400)
Subject: nfsd: fix buffer overrun decoding NFSv4 acl
X-Git-Tag: v2.6.26.4~4
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ee69675af511022b8a324c4a208a91f901f0a6c4;p=platform%2Fkernel%2Flinux-stable.git

nfsd: fix buffer overrun decoding NFSv4 acl

commit 91b80969ba466ba4b915a4a1d03add8c297add3f upstream

The array we kmalloc() here is not large enough.

Thanks to Johann Dahm and David Richter for bug report and testing.

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Cc: David Richter <richterd@citi.umich.edu>
Tested-by: Johann Dahm <jdahm@umich.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c
index b6ed38380ab8..54b8b4140c8f 100644
--- a/fs/nfsd/nfs4acl.c
+++ b/fs/nfsd/nfs4acl.c
@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt)
 	 * enough space for either:
 	 */
 	alloc = sizeof(struct posix_ace_state_array)
-		+ cnt*sizeof(struct posix_ace_state);
+		+ cnt*sizeof(struct posix_user_ace_state);
 	state->users = kzalloc(alloc, GFP_KERNEL);
 	if (!state->users)
 		return -ENOMEM;