Merge branch 'for-3.16' of git://linux-nfs.org/~bfields/linux

Pull nfsd bugfixes from Bruce Fields: "By coincidence, two NFSv4 symlink bugs, one introduced in the 3.16 xdr encoding rewrite, the other a decoding bug that I think we've had since the start but that just doesn't trigger very often" * 'for-3.16' of git://linux-nfs.org/~bfields/linux: nfs: fix nfs4d readlink truncated packet nfsd: fix rare symlink decoding bug
author: Linus Torvalds <torvalds@linux-foundation.org> 2014-07-03 21:33:22 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2014-07-03 21:33:22 -0400
commit: 0fba687f9b7ebf5fb028fb8b0a4733b891986bd3 (patch)
tree: 127de5692e6de6dc25894deeaecaea099636dd53 /fs
parent: b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a (diff)
parent: 69bbd9c7b99974f3a701d4de6ef7010c37182a47 (diff)
2 files changed, 13 insertions, 11 deletions
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 6851b003f2a4..8f029db5d271 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -617,15 +617,6 @@ nfsd4_create(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
        switch (create->cr_type) {
        case NF4LNK:
-                /* ugh! we have to null-terminate the linktext, or
-                 * vfs_symlink() will choke.  it is always safe to
-                 * null-terminate by brute force, since at worst we
-                 * will overwrite the first byte of the create namelen
-                 * in the XDR buffer, which has already been extracted
-                 * during XDR decode.
-                 */
-                create->cr_linkname[create->cr_linklen] = 0;
                status = nfsd_symlink(rqstp, &cstate->current_fh,
                                      create->cr_name, create->cr_namelen,
                                      create->cr_linkname, create->cr_linklen,
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 83baf2bfe9e9..2fc7abebeb9b 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -600,7 +600,18 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, struct nfsd4_create *create
                READ_BUF(4);
                create->cr_linklen = be32_to_cpup(p++);
                READ_BUF(create->cr_linklen);
-                SAVEMEM(create->cr_linkname, create->cr_linklen);
+                /*
+                 * The VFS will want a null-terminated string, and
+                 * null-terminating in place isn't safe since this might
+                 * end on a page boundary:
+                 */
+                create->cr_linkname =
+                                kmalloc(create->cr_linklen + 1, GFP_KERNEL);
+                if (!create->cr_linkname)
+                        return nfserr_jukebox;
+                memcpy(create->cr_linkname, p, create->cr_linklen);
+                create->cr_linkname[create->cr_linklen] = '\0';
+                defer_free(argp, kfree, create->cr_linkname);
                break;
        case NF4BLK:
        case NF4CHR:
@@ -3267,7 +3278,7 @@ nfsd4_encode_readlink(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd
        wire_count = htonl(maxcount);
        write_bytes_to_xdr_buf(xdr->buf, length_offset, &wire_count, 4);
-        xdr_truncate_encode(xdr, length_offset + 4 + maxcount);
+        xdr_truncate_encode(xdr, length_offset + 4 + ALIGN(maxcount, 4));
        if (maxcount & 3)
                write_bytes_to_xdr_buf(xdr->buf, length_offset + 4 + maxcount,
                                                &zero, 4 - (maxcount&3));
author	Linus Torvalds <torvalds@linux-foundation.org>	2014-07-03 21:33:22 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2014-07-03 21:33:22 -0400
commit	0fba687f9b7ebf5fb028fb8b0a4733b891986bd3 (patch)
tree	127de5692e6de6dc25894deeaecaea099636dd53 /fs
parent	b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a (diff)
parent	69bbd9c7b99974f3a701d4de6ef7010c37182a47 (diff)