diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2007-10-26 13:32:03 -0400 |
|---|---|---|
| committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2008-01-30 02:05:44 -0500 |
| commit | bcecff77a9c743ff67fdddeabc30ef76a6877886 (patch) | |
| tree | 0e7a30f308501f87fbdad6fe65321b8bc35d89f9 /fs | |
| parent | c957c526ef86e472359dadb4204dab8a503b687d (diff) | |
NFS: Use unsigned intermediates for manipulating header lengths (NFSv4 XDR)
Clean up: prevent length underflow and mixed sign comparison when
unmarshalling NFS version 4 getacl, readdir, and readlink replies.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/nfs/nfs4xdr.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c index 51dd3804866f..2e1fe171bf73 100644 --- a/fs/nfs/nfs4xdr.c +++ b/fs/nfs/nfs4xdr.c | |||
| @@ -3476,10 +3476,11 @@ static int decode_readdir(struct xdr_stream *xdr, struct rpc_rqst *req, struct n | |||
| 3476 | struct xdr_buf *rcvbuf = &req->rq_rcv_buf; | 3476 | struct xdr_buf *rcvbuf = &req->rq_rcv_buf; |
| 3477 | struct page *page = *rcvbuf->pages; | 3477 | struct page *page = *rcvbuf->pages; |
| 3478 | struct kvec *iov = rcvbuf->head; | 3478 | struct kvec *iov = rcvbuf->head; |
| 3479 | unsigned int nr, pglen = rcvbuf->page_len; | 3479 | size_t hdrlen; |
| 3480 | u32 recvd, pglen = rcvbuf->page_len; | ||
| 3480 | __be32 *end, *entry, *p, *kaddr; | 3481 | __be32 *end, *entry, *p, *kaddr; |
| 3481 | uint32_t len, attrlen, xlen; | 3482 | unsigned int nr; |
| 3482 | int hdrlen, recvd, status; | 3483 | int status; |
| 3483 | 3484 | ||
| 3484 | status = decode_op_hdr(xdr, OP_READDIR); | 3485 | status = decode_op_hdr(xdr, OP_READDIR); |
| 3485 | if (status) | 3486 | if (status) |
| @@ -3503,6 +3504,7 @@ static int decode_readdir(struct xdr_stream *xdr, struct rpc_rqst *req, struct n | |||
| 3503 | end = p + ((pglen + readdir->pgbase) >> 2); | 3504 | end = p + ((pglen + readdir->pgbase) >> 2); |
| 3504 | entry = p; | 3505 | entry = p; |
| 3505 | for (nr = 0; *p++; nr++) { | 3506 | for (nr = 0; *p++; nr++) { |
| 3507 | u32 len, attrlen, xlen; | ||
| 3506 | if (end - p < 3) | 3508 | if (end - p < 3) |
| 3507 | goto short_pkt; | 3509 | goto short_pkt; |
| 3508 | dprintk("cookie = %Lu, ", *((unsigned long long *)p)); | 3510 | dprintk("cookie = %Lu, ", *((unsigned long long *)p)); |
| @@ -3551,7 +3553,8 @@ static int decode_readlink(struct xdr_stream *xdr, struct rpc_rqst *req) | |||
| 3551 | { | 3553 | { |
| 3552 | struct xdr_buf *rcvbuf = &req->rq_rcv_buf; | 3554 | struct xdr_buf *rcvbuf = &req->rq_rcv_buf; |
| 3553 | struct kvec *iov = rcvbuf->head; | 3555 | struct kvec *iov = rcvbuf->head; |
| 3554 | int hdrlen, len, recvd; | 3556 | size_t hdrlen; |
| 3557 | u32 len, recvd; | ||
| 3555 | __be32 *p; | 3558 | __be32 *p; |
| 3556 | char *kaddr; | 3559 | char *kaddr; |
| 3557 | int status; | 3560 | int status; |
| @@ -3646,7 +3649,8 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req, | |||
| 3646 | if (unlikely(bitmap[0] & (FATTR4_WORD0_ACL - 1U))) | 3649 | if (unlikely(bitmap[0] & (FATTR4_WORD0_ACL - 1U))) |
| 3647 | return -EIO; | 3650 | return -EIO; |
| 3648 | if (likely(bitmap[0] & FATTR4_WORD0_ACL)) { | 3651 | if (likely(bitmap[0] & FATTR4_WORD0_ACL)) { |
| 3649 | int hdrlen, recvd; | 3652 | size_t hdrlen; |
| 3653 | u32 recvd; | ||
| 3650 | 3654 | ||
| 3651 | /* We ignore &savep and don't do consistency checks on | 3655 | /* We ignore &savep and don't do consistency checks on |
| 3652 | * the attr length. Let userspace figure it out.... */ | 3656 | * the attr length. Let userspace figure it out.... */ |