SUNRPC: Fix integer overflow in decode_rc_list()

The math in "rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t)" could have an
integer overflow.  Add bounds checking on rc_list->rcl_nrefcalls to fix
that.

Fixes: 4aece6a19cf7 ("nfs41: cb_sequence xdr implementation")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>

diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
index 6df77f008d3fada0066275fda0625e6c51368a56..fdeb0b34a3d39b6ce02d083318918c8493a9e469 100644 (file)
--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -375,6 +375,8 @@ static __be32 decode_rc_list(struct xdr_stream *xdr,
 
        rc_list->rcl_nrefcalls = ntohl(*p++);
        if (rc_list->rcl_nrefcalls) {
+               if (unlikely(rc_list->rcl_nrefcalls > xdr->buf->len))
+                       goto out;
                p = xdr_inline_decode(xdr,
                             rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t));
                if (unlikely(p == NULL))