diff options
| -rw-r--r-- | fs/nfsd/nfs4proc.c | 9 | ||||
| -rw-r--r-- | fs/nfsd/nfs4xdr.c | 13 |
2 files changed, 12 insertions, 10 deletions
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index 6851b003f2a4..8f029db5d271 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c | |||
| @@ -617,15 +617,6 @@ nfsd4_create(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, | |||
| 617 | 617 | ||
| 618 | switch (create->cr_type) { | 618 | switch (create->cr_type) { |
| 619 | case NF4LNK: | 619 | case NF4LNK: |
| 620 | /* ugh! we have to null-terminate the linktext, or | ||
| 621 | * vfs_symlink() will choke. it is always safe to | ||
| 622 | * null-terminate by brute force, since at worst we | ||
| 623 | * will overwrite the first byte of the create namelen | ||
| 624 | * in the XDR buffer, which has already been extracted | ||
| 625 | * during XDR decode. | ||
| 626 | */ | ||
| 627 | create->cr_linkname[create->cr_linklen] = 0; | ||
| 628 | |||
| 629 | status = nfsd_symlink(rqstp, &cstate->current_fh, | 620 | status = nfsd_symlink(rqstp, &cstate->current_fh, |
| 630 | create->cr_name, create->cr_namelen, | 621 | create->cr_name, create->cr_namelen, |
| 631 | create->cr_linkname, create->cr_linklen, | 622 | create->cr_linkname, create->cr_linklen, |
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 83baf2bfe9e9..5b4fef55676a 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c | |||
| @@ -600,7 +600,18 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, struct nfsd4_create *create | |||
| 600 | READ_BUF(4); | 600 | READ_BUF(4); |
| 601 | create->cr_linklen = be32_to_cpup(p++); | 601 | create->cr_linklen = be32_to_cpup(p++); |
| 602 | READ_BUF(create->cr_linklen); | 602 | READ_BUF(create->cr_linklen); |
| 603 | SAVEMEM(create->cr_linkname, create->cr_linklen); | 603 | /* |
| 604 | * The VFS will want a null-terminated string, and | ||
| 605 | * null-terminating in place isn't safe since this might | ||
| 606 | * end on a page boundary: | ||
| 607 | */ | ||
| 608 | create->cr_linkname = | ||
| 609 | kmalloc(create->cr_linklen + 1, GFP_KERNEL); | ||
| 610 | if (!create->cr_linkname) | ||
| 611 | return nfserr_jukebox; | ||
| 612 | memcpy(create->cr_linkname, p, create->cr_linklen); | ||
| 613 | create->cr_linkname[create->cr_linklen] = '\0'; | ||
| 614 | defer_free(argp, kfree, create->cr_linkname); | ||
| 604 | break; | 615 | break; |
| 605 | case NF4BLK: | 616 | case NF4BLK: |
| 606 | case NF4CHR: | 617 | case NF4CHR: |