[lvc-project] [PATCH] nfsd: fix arithmetic expression overflow in decode_saddr()
Alexandr Sapozhnkiov
alsp705 at gmail.com
Thu Sep 25 10:56:52 MSK 2025
From: Alexandr Sapozhnikov <alsp705 at gmail.com>
The value of an arithmetic expression 'tmp1 * NSEC_PER_USEC'
is a subject to overflow because its operands are not cast
to a larger data type before performing arithmetic
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Alexandr Sapozhnikov <alsp705 at gmail.com>
---
fs/nfsd/nfsxdr.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
index 5777f40c7353..df62ed5099de 100644
--- a/fs/nfsd/nfsxdr.c
+++ b/fs/nfsd/nfsxdr.c
@@ -172,6 +172,8 @@ svcxdr_decode_sattr(struct svc_rqst *rqstp, struct xdr_stream *xdr,
tmp1 = be32_to_cpup(p++);
tmp2 = be32_to_cpup(p++);
if (tmp1 != (u32)-1 && tmp2 != (u32)-1) {
+ if (tmp2 > 1000000)
+ tmp2 = 1000000;
iap->ia_valid |= ATTR_ATIME | ATTR_ATIME_SET;
iap->ia_atime.tv_sec = tmp1;
iap->ia_atime.tv_nsec = tmp2 * NSEC_PER_USEC;
@@ -180,6 +182,8 @@ svcxdr_decode_sattr(struct svc_rqst *rqstp, struct xdr_stream *xdr,
tmp1 = be32_to_cpup(p++);
tmp2 = be32_to_cpup(p++);
if (tmp1 != (u32)-1 && tmp2 != (u32)-1) {
+ if (tmp2 > 1000000)
+ tmp2 = 999999;
iap->ia_valid |= ATTR_MTIME | ATTR_MTIME_SET;
iap->ia_mtime.tv_sec = tmp1;
iap->ia_mtime.tv_nsec = tmp2 * NSEC_PER_USEC;
--
2.43.0
More information about the lvc-project
mailing list