Commit 0ba7536d authored by NeilBrown's avatar NeilBrown Committed by Linus Torvalds

[PATCH] knfsd: Fix some minor sign problems in nfsd/xdr

There are a couple of tests which could possibly be confused by extremely
large numbers appearing in 'xdr' packets.  I think the closest to an exploit
you could get would be writing random data from a free page into a file - i.e.
 leak data out of kernel space.

I'm fairly sure they cannot be used for remote compromise.
Signed-off-by: default avatarNeil Brown <neilb@suse.de>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 70c3b76c
......@@ -366,7 +366,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, u32 *p,
len = args->len = ntohl(*p++);
hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
if (rqstp->rq_arg.len < len + hdr)
if (rqstp->rq_arg.len < hdr ||
rqstp->rq_arg.len - hdr < len)
return 0;
args->vec[0].iov_base = (void*)p;
......
......@@ -42,7 +42,7 @@ struct nfsd3_writeargs {
__u64 offset;
__u32 count;
int stable;
int len;
__u32 len;
struct kvec vec[RPCSVC_MAXPAGES];
int vlen;
};
......
......@@ -171,7 +171,8 @@ xdr_argsize_check(struct svc_rqst *rqstp, u32 *p)
{
char *cp = (char *)p;
struct kvec *vec = &rqstp->rq_arg.head[0];
return cp - (char*)vec->iov_base <= vec->iov_len;
return cp >= (char*)vec->iov_base
&& cp <= (char*)vec->iov_base + vec->iov_len;
}
static inline int
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment