aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorNeilBrown <neilb@suse.de>2012-09-17 02:46:34 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2012-09-25 10:38:54 -0400
commit62d98c935456ee121b03d6a68aa3091a04085b7e (patch)
tree09f58145bc10308f4672ee156a0ed23ea87c4f7b /fs
parente8d920c58ddb45126e1b306854f6e34b88446baf (diff)
NFS4: avoid underflow when converting error to pointer.
In nfs4_create_sec_client, 'flavor' can hold a negative error code (returned from nfs4_negotiate_security), even though it is an 'enum' and hence unsigned. The code is careful to cast it to an (int) before testing if it is negative, however it doesn't cast to an (int) before calling ERR_PTR. On a machine where "void*" is larger than "int", this results in the unsigned equivalent of -1 (e.g. 0xffffffff) being converted to a pointer. Subsequent code determines that this is not negative, and so dereferences it with predictable results. So: cast 'flavor' to a (signed) int before passing to ERR_PTR. cc: Benny Halevy <bhalevy@tonian.com> Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/nfs/nfs4namespace.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/nfs/nfs4namespace.c b/fs/nfs/nfs4namespace.c
index 398d5fd74157..4fdeb1b7042e 100644
--- a/fs/nfs/nfs4namespace.c
+++ b/fs/nfs/nfs4namespace.c
@@ -198,7 +198,7 @@ struct rpc_clnt *nfs4_create_sec_client(struct rpc_clnt *clnt, struct inode *ino
198 198
199 flavor = nfs4_negotiate_security(inode, name); 199 flavor = nfs4_negotiate_security(inode, name);
200 if ((int)flavor < 0) 200 if ((int)flavor < 0)
201 return ERR_PTR(flavor); 201 return ERR_PTR((int)flavor);
202 202
203 clone = rpc_clone_client(clnt); 203 clone = rpc_clone_client(clnt);
204 if (IS_ERR(clone)) 204 if (IS_ERR(clone))