Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3020093f authored by Trond Myklebust's avatar Trond Myklebust
Browse files

NFS: Correct the array bound calculation in nfs_readdir_add_to_array 



It looks as if the array size calculation in MAX_READDIR_ARRAY does not
take the alignment of struct nfs_cache_array_entry into account.

Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent ece0b423

fs/nfs/dir.c

+5 −4
Original line number Original line Diff line number Diff line
@@ -171,8 +171,6 @@ struct nfs_cache_array { 
	struct nfs_cache_array_entry array[0];

	struct nfs_cache_array_entry array[0];

};

};





#define MAX_READDIR_ARRAY ((PAGE_SIZE - sizeof(struct nfs_cache_array)) / sizeof(struct nfs_cache_array_entry))



typedef __be32 * (*decode_dirent_t)(struct xdr_stream *, struct nfs_entry *, struct nfs_server *, int);

typedef __be32 * (*decode_dirent_t)(struct xdr_stream *, struct nfs_entry *, struct nfs_server *, int);

typedef struct {

typedef struct {

	struct file	*file;

	struct file	*file;
@@ -257,11 +255,14 @@ int nfs_readdir_add_to_array(struct nfs_entry *entry, struct page *page) 




	if (IS_ERR(array))

	if (IS_ERR(array))

		return PTR_ERR(array);

		return PTR_ERR(array);



	cache_entry = &array->array[array->size];



	/* Check that this entry lies within the page bounds */

	ret = -ENOSPC;

	ret = -ENOSPC;

	if (array->size >= MAX_READDIR_ARRAY)

	if ((char *)&cache_entry[1] - (char *)page_address(page) > PAGE_SIZE)

		goto out;

		goto out;





	cache_entry = &array->array[array->size];

	cache_entry->cookie = entry->prev_cookie;

	cache_entry->cookie = entry->prev_cookie;

	cache_entry->ino = entry->ino;

	cache_entry->ino = entry->ino;

	ret = nfs_readdir_make_qstr(&cache_entry->string, entry->name, entry->len);

	ret = nfs_readdir_make_qstr(&cache_entry->string, entry->name, entry->len);