diff options
author | J. Bruce Fields <bfields@citi.umich.edu> | 2008-01-22 17:40:42 -0500 |
---|---|---|
committer | J. Bruce Fields <bfields@citi.umich.edu> | 2008-02-01 16:42:15 -0500 |
commit | 87d26ea7771ad637035e6bd5a2700d81ee9162da (patch) | |
tree | c1da6cd6fe03bfadb3276bd30423c7d4b105ef41 | |
parent | 50431d94e732ba71b66a83c5435890728e313095 (diff) |
nfsd: more careful input validation in nfsctl write methods
Neil Brown points out that we're checking buf[size-1] in a couple places
without first checking whether size is zero.
Actually, given the implementation of simple_transaction_get(), buf[-1]
is zero, so in both of these cases the subsequent check of the value of
buf[size-1] will catch this case.
But it seems fragile to depend on that, so add explicit checks for this
case.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Acked-by: NeilBrown <neilb@suse.de>
-rw-r--r-- | fs/nfsd/nfsctl.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c index bc22e0b0343a..8516137cdbb0 100644 --- a/fs/nfsd/nfsctl.c +++ b/fs/nfsd/nfsctl.c | |||
@@ -304,6 +304,9 @@ static ssize_t write_filehandle(struct file *file, char *buf, size_t size) | |||
304 | struct auth_domain *dom; | 304 | struct auth_domain *dom; |
305 | struct knfsd_fh fh; | 305 | struct knfsd_fh fh; |
306 | 306 | ||
307 | if (size == 0) | ||
308 | return -EINVAL; | ||
309 | |||
307 | if (buf[size-1] != '\n') | 310 | if (buf[size-1] != '\n') |
308 | return -EINVAL; | 311 | return -EINVAL; |
309 | buf[size-1] = 0; | 312 | buf[size-1] = 0; |
@@ -663,7 +666,7 @@ static ssize_t write_recoverydir(struct file *file, char *buf, size_t size) | |||
663 | char *recdir; | 666 | char *recdir; |
664 | int len, status; | 667 | int len, status; |
665 | 668 | ||
666 | if (size > PATH_MAX || buf[size-1] != '\n') | 669 | if (size == 0 || size > PATH_MAX || buf[size-1] != '\n') |
667 | return -EINVAL; | 670 | return -EINVAL; |
668 | buf[size-1] = 0; | 671 | buf[size-1] = 0; |
669 | 672 | ||