Commit ef95d31e authored by Trond Myklebust's avatar Trond Myklebust

NFS: Fix misparsing of nfsv4 fs_locations attribute (take 2)

The changeset ea31a443 (nfs: Fix
misparsing of nfsv4 fs_locations attribute) causes the mountpath that is
calculated at the beginning of try_location() to be clobbered when we
later strncpy a non-nul terminated hostname using an incorrect buffer
length.
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent eb9b55ab
...@@ -21,7 +21,9 @@ ...@@ -21,7 +21,9 @@
#define NFSDBG_FACILITY NFSDBG_VFS #define NFSDBG_FACILITY NFSDBG_VFS
/* /*
* Check if fs_root is valid * Convert the NFSv4 pathname components into a standard posix path.
*
* Note that the resulting string will be placed at the end of the buffer
*/ */
static inline char *nfs4_pathname_string(const struct nfs4_pathname *pathname, static inline char *nfs4_pathname_string(const struct nfs4_pathname *pathname,
char *buffer, ssize_t buflen) char *buffer, ssize_t buflen)
...@@ -99,21 +101,20 @@ static struct vfsmount *try_location(struct nfs_clone_mount *mountdata, ...@@ -99,21 +101,20 @@ static struct vfsmount *try_location(struct nfs_clone_mount *mountdata,
{ {
struct vfsmount *mnt = ERR_PTR(-ENOENT); struct vfsmount *mnt = ERR_PTR(-ENOENT);
char *mnt_path; char *mnt_path;
int page2len; unsigned int maxbuflen;
unsigned int s; unsigned int s;
mnt_path = nfs4_pathname_string(&location->rootpath, page2, PAGE_SIZE); mnt_path = nfs4_pathname_string(&location->rootpath, page2, PAGE_SIZE);
if (IS_ERR(mnt_path)) if (IS_ERR(mnt_path))
return mnt; return mnt;
mountdata->mnt_path = mnt_path; mountdata->mnt_path = mnt_path;
page2 += strlen(mnt_path) + 1; maxbuflen = mnt_path - 1 - page2;
page2len = PAGE_SIZE - strlen(mnt_path) - 1;
for (s = 0; s < location->nservers; s++) { for (s = 0; s < location->nservers; s++) {
const struct nfs4_string *buf = &location->servers[s]; const struct nfs4_string *buf = &location->servers[s];
struct sockaddr_storage addr; struct sockaddr_storage addr;
if (buf->len <= 0 || buf->len >= PAGE_SIZE) if (buf->len <= 0 || buf->len >= maxbuflen)
continue; continue;
mountdata->addr = (struct sockaddr *)&addr; mountdata->addr = (struct sockaddr *)&addr;
...@@ -126,8 +127,8 @@ static struct vfsmount *try_location(struct nfs_clone_mount *mountdata, ...@@ -126,8 +127,8 @@ static struct vfsmount *try_location(struct nfs_clone_mount *mountdata,
continue; continue;
nfs_set_port(mountdata->addr, NFS_PORT); nfs_set_port(mountdata->addr, NFS_PORT);
strncpy(page2, buf->data, page2len); memcpy(page2, buf->data, buf->len);
page2[page2len] = '\0'; page2[buf->len] = '\0';
mountdata->hostname = page2; mountdata->hostname = page2;
snprintf(page, PAGE_SIZE, "%s:%s", snprintf(page, PAGE_SIZE, "%s:%s",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment