Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ca2a05aa authored by J. Bruce Fields's avatar J. Bruce Fields
Browse files

nfsd: Fix handling of negative lengths in read_buf() 



The length "nbytes" passed into read_buf should never be negative, but
we check only for too-large values of "nbytes", not for too-small
values.  Make nbytes unsigned, so it's clear that the former tests are
sufficient.  (Despite this read_buf() currently correctly returns an xdr
error in the case of a negative length, thanks to an unsigned
comparison with size_of() and bounds-checking in kmalloc().  This seems
very fragile, though.)

Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
parent a490c681

fs/nfsd/nfs4xdr.c

+7 −2
Original line number Diff line number Diff line
@@ -148,12 +148,12 @@ xdr_error: \ 
	}					\

} while (0)



static __be32 *read_buf(struct nfsd4_compoundargs *argp, int nbytes)

static __be32 *read_buf(struct nfsd4_compoundargs *argp, u32 nbytes)

{

	/* We want more bytes than seem to be available.

	 * Maybe we need a new page, maybe we have just run out

	 */

	int avail = (char*)argp->end - (char*)argp->p;

	unsigned int avail = (char *)argp->end - (char *)argp->p;

	__be32 *p;

	if (avail + argp->pagelen < nbytes)

		return NULL;
@@ -169,6 +169,11 @@ static __be32 *read_buf(struct nfsd4_compoundargs *argp, int nbytes) 
			return NULL;

		

	}

	/*

	 * The following memcpy is safe because read_buf is always

	 * called with nbytes > avail, and the two cases above both

	 * guarantee p points to at least nbytes bytes.

	 */

	memcpy(p, argp->p, avail);

	/* step to next page */

	argp->p = page_address(argp->pagelist[0]);