[PATCH] Protect against NFS requests to create symlinks bigger than one page

Such a request would cause the nul terminator to be written to some other page, and cause havoc. Also rearrange two tests to avoid the possibility of testing the byte just past the end of a buffer - doing so can causes an oops with appropriate kernel-debug config options

[PATCH] Protect against NFS requests to create symlinks bigger than one page
Such a request would cause the nul terminator to be written to some other page, and cause havoc. Also rearrange two tests to avoid the possibility of testing the byte just past the end of a buffer - doing so can causes an oops with appropriate kernel-debug config options
67dec770 · Neil Brown · Linus Torvalds · cfd5b64b · 67dec770
Commit 67dec770 authored Aug 04, 2003 by Neil Brown Committed by Linus Torvalds Aug 04, 2003
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

fs/nfsd/nfs3xdr.c fs/nfsd/nfs3xdr.c +3 -3

No files found.
--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -446,7 +446,7 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, u32 *p,
 	 */
 	svc_take_page(rqstp);
 	len = ntohl(*p++);
-	if (len <= 0 || len > NFS3_MAXPATHLEN)
+	if (len <= 0 || len > NFS3_MAXPATHLEN || len >= PAGE_SIZE)
 		return 0;
 	args->tname = new = page_address(rqstp->rq_respages[rqstp->rq_resused-1]);
 	args->tlen = len;
@@ -454,7 +454,7 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, u32 *p,
 	old = (char*)p;
 	vec = &rqstp->rq_arg.head[0];
 	avail = vec->iov_len - (old - (char*)vec->iov_base);
-	while (len > 0 && *old && avail) {
+	while (len && avail && *old) {
 		*new++ = *old++;
 		len--;
 		avail--;
@@ -465,7 +465,7 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, u32 *p,
 		if (avail > PAGE_SIZE) avail = PAGE_SIZE;
 		old = page_address(rqstp->rq_arg.pages[0]);
 	}
-	while (len > 0 && *old && avail) {
+	while (len && avail && *old) {
 		*new++ = *old++;
 		len--;
 		avail--;