Problem:
A returned address from kmalloc() can be overwritten to a wrong place in
rpcauth_lookup_credcache() routine.
rpcauth_lookup_credcache(struct rpc_auth *auth, int taskflags)
{
...
if (!cred) {
cred = auth->au_ops->crcreate(taskflags);
}
if (cred)
rpcauth_insert_credcache(struct rpc_auth *auth, struct rpc_cred *cred)
return (struct rpc_cred *) cred;
}
/* auth->au_ops->crcreate in rpcauth_lookup_credcache() is nul_create_cred */
nul_create_cred(int flags)
{
..
if (!(cred = (struct rpc_cred *) rpc_allocate(flags, sizeof(*cred))))
/* cred->cr_uid is not initialized, =0xbf3ff3f5 in my case */
cred->cr_count = 0;
..
}
rpcauth_insert_credcache(struct rpc_auth *auth, struct rpc_cred *cred)
{
..
nr = (cred->cr_uid % RPC_CREDCACHE_NR);
auth->au_credcache[nr] = cred;
/* write to a wrong place, nr=-3 in my case */
..
}
Soultion:
Added one line in nul_create_cred() routine.
nul_create_cred(int flags)
{
struct rpc_cred *cred;
if (!(cred = (struct rpc_cred *) rpc_allocate(flags, sizeof(*cred))))
return NULL;
cred->cr_uid = 0; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< added
cred->cr_count = 0;
cred->cr_flags = RPCAUTH_CRED_UPTODATE;
return cred;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
