Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0ba7536d authored by NeilBrown's avatar NeilBrown Committed by Linus Torvalds
Browse files

[PATCH] knfsd: Fix some minor sign problems in nfsd/xdr 



There are a couple of tests which could possibly be confused by extremely
large numbers appearing in 'xdr' packets.  I think the closest to an exploit
you could get would be writing random data from a free page into a file - i.e.
 leak data out of kernel space.

I'm fairly sure they cannot be used for remote compromise.

Signed-off-by: default avatarNeil Brown <neilb@suse.de>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 70c3b76c

fs/nfsd/nfs3xdr.c

+2 −1
Original line number Original line Diff line number Diff line
@@ -366,7 +366,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, u32 *p, 
	len = args->len = ntohl(*p++);

	len = args->len = ntohl(*p++);





	hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;

	hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;

	if (rqstp->rq_arg.len < len + hdr)

	if (rqstp->rq_arg.len < hdr ||

	    rqstp->rq_arg.len - hdr < len)

		return 0;

		return 0;





	args->vec[0].iov_base = (void*)p;

	args->vec[0].iov_base = (void*)p;

include/linux/nfsd/xdr3.h

+1 −1
Original line number Original line Diff line number Diff line
@@ -42,7 +42,7 @@ struct nfsd3_writeargs { 
	__u64			offset;

	__u64			offset;

	__u32			count;

	__u32			count;

	int			stable;

	int			stable;

	int			len;

	__u32			len;

	struct kvec		vec[RPCSVC_MAXPAGES];

	struct kvec		vec[RPCSVC_MAXPAGES];

	int			vlen;

	int			vlen;

};

};

include/linux/sunrpc/svc.h

+2 −1
Original line number Original line Diff line number Diff line
@@ -171,7 +171,8 @@ xdr_argsize_check(struct svc_rqst *rqstp, u32 *p) 
{

{

	char *cp = (char *)p;

	char *cp = (char *)p;

	struct kvec *vec = &rqstp->rq_arg.head[0];

	struct kvec *vec = &rqstp->rq_arg.head[0];

	return cp - (char*)vec->iov_base <= vec->iov_len;

	return cp >= (char*)vec->iov_base

		&& cp <= (char*)vec->iov_base + vec->iov_len;

}

}





static inline int

static inline int