aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@citi.umich.edu>2008-01-22 17:40:42 -0500
committerJ. Bruce Fields <bfields@citi.umich.edu>2008-02-01 16:42:15 -0500
commit87d26ea7771ad637035e6bd5a2700d81ee9162da (patch)
treec1da6cd6fe03bfadb3276bd30423c7d4b105ef41
parent50431d94e732ba71b66a83c5435890728e313095 (diff)
nfsd: more careful input validation in nfsctl write methods
Neil Brown points out that we're checking buf[size-1] in a couple places without first checking whether size is zero. Actually, given the implementation of simple_transaction_get(), buf[-1] is zero, so in both of these cases the subsequent check of the value of buf[size-1] will catch this case. But it seems fragile to depend on that, so add explicit checks for this case. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Acked-by: NeilBrown <neilb@suse.de>
-rw-r--r--fs/nfsd/nfsctl.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index bc22e0b0343a..8516137cdbb0 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -304,6 +304,9 @@ static ssize_t write_filehandle(struct file *file, char *buf, size_t size)
304 struct auth_domain *dom; 304 struct auth_domain *dom;
305 struct knfsd_fh fh; 305 struct knfsd_fh fh;
306 306
307 if (size == 0)
308 return -EINVAL;
309
307 if (buf[size-1] != '\n') 310 if (buf[size-1] != '\n')
308 return -EINVAL; 311 return -EINVAL;
309 buf[size-1] = 0; 312 buf[size-1] = 0;
@@ -663,7 +666,7 @@ static ssize_t write_recoverydir(struct file *file, char *buf, size_t size)
663 char *recdir; 666 char *recdir;
664 int len, status; 667 int len, status;
665 668
666 if (size > PATH_MAX || buf[size-1] != '\n') 669 if (size == 0 || size > PATH_MAX || buf[size-1] != '\n')
667 return -EINVAL; 670 return -EINVAL;
668 buf[size-1] = 0; 671 buf[size-1] = 0;
669 672