aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeilBrown <neilb@cse.unsw.edu.au>2005-11-07 04:00:26 -0500
committerLinus Torvalds <torvalds@g5.osdl.org>2005-11-07 10:53:48 -0500
commit0ba7536d5d47e4ecf2259a80b207158dc4e711eb (patch)
tree0e8528e65f25b9992cfad43e74018a0986f46c38
parent70c3b76c28b012452d63bb27f6d0517afb05d86f (diff)
[PATCH] knfsd: Fix some minor sign problems in nfsd/xdr
There are a couple of tests which could possibly be confused by extremely large numbers appearing in 'xdr' packets. I think the closest to an exploit you could get would be writing random data from a free page into a file - i.e. leak data out of kernel space. I'm fairly sure they cannot be used for remote compromise. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--fs/nfsd/nfs3xdr.c3
-rw-r--r--include/linux/nfsd/xdr3.h2
-rw-r--r--include/linux/sunrpc/svc.h3
3 files changed, 5 insertions, 3 deletions
diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
index e0e134d6baba..9147b8524d05 100644
--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -366,7 +366,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, u32 *p,
366 len = args->len = ntohl(*p++); 366 len = args->len = ntohl(*p++);
367 367
368 hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; 368 hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
369 if (rqstp->rq_arg.len < len + hdr) 369 if (rqstp->rq_arg.len < hdr ||
370 rqstp->rq_arg.len - hdr < len)
370 return 0; 371 return 0;
371 372
372 args->vec[0].iov_base = (void*)p; 373 args->vec[0].iov_base = (void*)p;
diff --git a/include/linux/nfsd/xdr3.h b/include/linux/nfsd/xdr3.h
index 21e18ce7ca63..3c2a71b43bac 100644
--- a/include/linux/nfsd/xdr3.h
+++ b/include/linux/nfsd/xdr3.h
@@ -42,7 +42,7 @@ struct nfsd3_writeargs {
42 __u64 offset; 42 __u64 offset;
43 __u32 count; 43 __u32 count;
44 int stable; 44 int stable;
45 int len; 45 __u32 len;
46 struct kvec vec[RPCSVC_MAXPAGES]; 46 struct kvec vec[RPCSVC_MAXPAGES];
47 int vlen; 47 int vlen;
48}; 48};
diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
index 5af8800e0ce3..e4086ec8b952 100644
--- a/include/linux/sunrpc/svc.h
+++ b/include/linux/sunrpc/svc.h
@@ -171,7 +171,8 @@ xdr_argsize_check(struct svc_rqst *rqstp, u32 *p)
171{ 171{
172 char *cp = (char *)p; 172 char *cp = (char *)p;
173 struct kvec *vec = &rqstp->rq_arg.head[0]; 173 struct kvec *vec = &rqstp->rq_arg.head[0];
174 return cp - (char*)vec->iov_base <= vec->iov_len; 174 return cp >= (char*)vec->iov_base
175 && cp <= (char*)vec->iov_base + vec->iov_len;
175} 176}
176 177
177static inline int 178static inline int