Commit 87d26ea7 authored Jan 22, 2008 by J. Bruce Fields

nfsd: more careful input validation in nfsctl write methods



Neil Brown points out that we're checking buf[size-1] in a couple places
without first checking whether size is zero.

Actually, given the implementation of simple_transaction_get(), buf[-1]
is zero, so in both of these cases the subsequent check of the value of
buf[size-1] will catch this case.

But it seems fragile to depend on that, so add explicit checks for this
case.

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Acked-by: NeilBrown <neilb@suse.de>

parent 50431d94

fs/nfsd/nfsctl.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -304,6 +304,9 @@ static ssize_t write_filehandle(struct file file, char buf, size_t size)
		struct auth_domain *dom;
		struct knfsd_fh fh;

		if (size == 0)
		return -EINVAL;

		if (buf[size-1] != '\n')
		return -EINVAL;
		buf[size-1] = 0;
		@@ -663,7 +666,7 @@ static ssize_t write_recoverydir(struct file file, char buf, size_t size)
		char *recdir;
		int len, status;

		if (size > PATH_MAX \|\| buf[size-1] != '\n')
		if (size == 0 \|\| size > PATH_MAX \|\| buf[size-1] != '\n')
		return -EINVAL;
		buf[size-1] = 0;