diff options
| author | Scott Mayhew <smayhew@redhat.com> | 2020-04-13 14:25:35 -0400 |
|---|---|---|
| committer | Steve Dickson <steved@redhat.com> | 2020-04-13 14:47:24 -0400 |
| commit | 7b74b8d0b02ebfdef0901c9b20e9aec16ec2f6b2 (patch) | |
| tree | bd8fe912d738e216cb191f68ecd031dde5e1649c | |
| parent | 1699fc34fe74ceda67e45453890a654c59f2b9e3 (diff) | |
| download | nfs-utils-7b74b8d0b02ebfdef0901c9b20e9aec16ec2f6b2.tar.gz | |
nfsdcld: fix possible buffer overrun in sqlite_iterate_recovery()
Prior to release, cp_data was originally intended to hold the gss
principal string. When it was changed to hold a hash of the principal
instead, the size of the field was changed but the 'n' arg of the
memcpy() in sqlite_iterate_recovery() was not.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
| -rw-r--r-- | utils/nfsdcld/sqlite.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/utils/nfsdcld/sqlite.c b/utils/nfsdcld/sqlite.c index 09518e22..6666c867 100644 --- a/utils/nfsdcld/sqlite.c +++ b/utils/nfsdcld/sqlite.c @@ -1337,7 +1337,7 @@ sqlite_iterate_recovery(int (*cb)(struct cld_client *clnt), struct cld_client *c cmsg->cm_u.cm_clntinfo.cc_name.cn_len = sqlite3_column_bytes(stmt, 0); if (sqlite3_column_bytes(stmt, 1) > 0) { memcpy(&cmsg->cm_u.cm_clntinfo.cc_princhash.cp_data, - sqlite3_column_blob(stmt, 1), NFS4_OPAQUE_LIMIT); + sqlite3_column_blob(stmt, 1), SHA256_DIGEST_SIZE); cmsg->cm_u.cm_clntinfo.cc_princhash.cp_len = sqlite3_column_bytes(stmt, 1); } #else |