1 files changed, 86 insertions, 71 deletions
diff --git a/fs/9p/conv.c b/fs/9p/conv.c
index 1554731bd653..18121af99d3e 100644
--- a/fs/9p/conv.c
+++ b/fs/9p/conv.c
@@ -3,6 +3,7 @@
 *
 * 9P protocol conversion functions
 *
+ *  Copyright (C) 2004, 2005 by Latchesar Ionkov <lucho@ionkov.net>
 *  Copyright (C) 2004 by Eric Van Hensbergen <ericvh@gmail.com>
 *  Copyright (C) 2002 by Ron Minnich <rminnich@lanl.gov>
 *
@@ -55,66 +56,70 @@ static inline int buf_check_overflow(struct cbuf *buf)
        return buf->p > buf->ep;
 }
-static inline void buf_check_size(struct cbuf *buf, int len)
+static inline int buf_check_size(struct cbuf *buf, int len)
 {
        if (buf->p+len > buf->ep) {
                if (buf->p < buf->ep) {
                        eprintk(KERN_ERR, "buffer overflow\n");
                        buf->p = buf->ep + 1;
+                        return 0;
                }
        }
+        return 1;
 }
 static inline void *buf_alloc(struct cbuf *buf, int len)
 {
        void *ret = NULL;
-        buf_check_size(buf, len);
+        if (buf_check_size(buf, len)) {
-        ret = buf->p;
+                ret = buf->p;
-        buf->p += len;
+                buf->p += len;
+        }
        return ret;
 }
 static inline void buf_put_int8(struct cbuf *buf, u8 val)
 {
-        buf_check_size(buf, 1);
+        if (buf_check_size(buf, 1)) {
+                buf->p[0] = val;
-        buf->p[0] = val;
+                buf->p++;
-        buf->p++;
+        }
 }
 static inline void buf_put_int16(struct cbuf *buf, u16 val)
 {
-        buf_check_size(buf, 2);
+        if (buf_check_size(buf, 2)) {
+                *(__le16 *) buf->p = cpu_to_le16(val);
-        *(__le16 *) buf->p = cpu_to_le16(val);
+                buf->p += 2;
-        buf->p += 2;
+        }
 }
 static inline void buf_put_int32(struct cbuf *buf, u32 val)
 {
-        buf_check_size(buf, 4);
+        if (buf_check_size(buf, 4)) {
+                *(__le32 *)buf->p = cpu_to_le32(val);
-        *(__le32 *)buf->p = cpu_to_le32(val);
+                buf->p += 4;
-        buf->p += 4;
+        }
 }
 static inline void buf_put_int64(struct cbuf *buf, u64 val)
 {
-        buf_check_size(buf, 8);
+        if (buf_check_size(buf, 8)) {
+                *(__le64 *)buf->p = cpu_to_le64(val);
-        *(__le64 *)buf->p = cpu_to_le64(val);
+                buf->p += 8;
-        buf->p += 8;
+        }
 }
 static inline void buf_put_stringn(struct cbuf *buf, const char *s, u16 slen)
 {
-        buf_check_size(buf, slen + 2);
+        if (buf_check_size(buf, slen + 2)) {
+                buf_put_int16(buf, slen);
-        buf_put_int16(buf, slen);
+                memcpy(buf->p, s, slen);
-        memcpy(buf->p, s, slen);
+                buf->p += slen;
-        buf->p += slen;
+        }
 }
 static inline void buf_put_string(struct cbuf *buf, const char *s)
@@ -124,20 +129,20 @@ static inline void buf_put_string(struct cbuf *buf, const char *s)
 static inline void buf_put_data(struct cbuf *buf, void *data, u32 datalen)
 {
-        buf_check_size(buf, datalen);
+        if (buf_check_size(buf, datalen)) {
+                memcpy(buf->p, data, datalen);
-        memcpy(buf->p, data, datalen);
+                buf->p += datalen;
-        buf->p += datalen;
+        }
 }
 static inline u8 buf_get_int8(struct cbuf *buf)
 {
        u8 ret = 0;
-        buf_check_size(buf, 1);
+        if (buf_check_size(buf, 1)) {
-        ret = buf->p[0];
+                ret = buf->p[0];
+                buf->p++;
-        buf->p++;
+        }
        return ret;
 }
@@ -146,10 +151,10 @@ static inline u16 buf_get_int16(struct cbuf *buf)
 {
        u16 ret = 0;
-        buf_check_size(buf, 2);
+        if (buf_check_size(buf, 2)) {
-        ret = le16_to_cpu(*(__le16 *)buf->p);
+                ret = le16_to_cpu(*(__le16 *)buf->p);
+                buf->p += 2;
-        buf->p += 2;
+        }
        return ret;
 }
@@ -158,10 +163,10 @@ static inline u32 buf_get_int32(struct cbuf *buf)
 {
        u32 ret = 0;
-        buf_check_size(buf, 4);
+        if (buf_check_size(buf, 4)) {
-        ret = le32_to_cpu(*(__le32 *)buf->p);
+                ret = le32_to_cpu(*(__le32 *)buf->p);
+                buf->p += 4;
-        buf->p += 4;
+        }
        return ret;
 }
@@ -170,10 +175,10 @@ static inline u64 buf_get_int64(struct cbuf *buf)
 {
        u64 ret = 0;
-        buf_check_size(buf, 8);
+        if (buf_check_size(buf, 8)) {
-        ret = le64_to_cpu(*(__le64 *)buf->p);
+                ret = le64_to_cpu(*(__le64 *)buf->p);
+                buf->p += 8;
-        buf->p += 8;
+        }
        return ret;
 }
@@ -181,27 +186,35 @@ static inline u64 buf_get_int64(struct cbuf *buf)
 static inline int
 buf_get_string(struct cbuf *buf, char *data, unsigned int datalen)
 {
+        u16 len = 0;
+        len = buf_get_int16(buf);
+        if (!buf_check_overflow(buf) && buf_check_size(buf, len) && len+1>datalen) {
+                memcpy(data, buf->p, len);
+                data[len] = 0;
+                buf->p += len;
+                len++;
+        }
-        u16 len = buf_get_int16(buf);
+        return len;
-        buf_check_size(buf, len);
-        if (len + 1 > datalen)
-                return 0;
-        memcpy(data, buf->p, len);
-        data[len] = 0;
-        buf->p += len;
-        return len + 1;
 }
 static inline char *buf_get_stringb(struct cbuf *buf, struct cbuf *sbuf)
 {
-        char *ret = NULL;
+        char *ret;
-        int n = buf_get_string(buf, sbuf->p, sbuf->ep - sbuf->p);
+        u16 len;
+        ret = NULL;
+        len = buf_get_int16(buf);
-        if (n > 0) {
+        if (!buf_check_overflow(buf) && buf_check_size(buf, len) &&
+                buf_check_size(sbuf, len+1)) {
+                memcpy(sbuf->p, buf->p, len);
+                sbuf->p[len] = 0;
                ret = sbuf->p;
-                sbuf->p += n;
+                buf->p += len;
+                sbuf->p += len + 1;
        }
        return ret;
@@ -209,12 +222,15 @@ static inline char *buf_get_stringb(struct cbuf *buf, struct cbuf *sbuf)
 static inline int buf_get_data(struct cbuf *buf, void *data, int datalen)
 {
-        buf_check_size(buf, datalen);
+        int ret = 0;
-        memcpy(data, buf->p, datalen);
+        if (buf_check_size(buf, datalen)) {
-        buf->p += datalen;
+                memcpy(data, buf->p, datalen);
+                buf->p += datalen;
+                ret = datalen;
+        }
-        return datalen;
+        return ret;
 }
 static inline void *buf_get_datab(struct cbuf *buf, struct cbuf *dbuf,
@@ -223,13 +239,12 @@ static inline void *buf_get_datab(struct cbuf *buf, struct cbuf *dbuf,
        char *ret = NULL;
        int n = 0;
-        buf_check_size(dbuf, datalen);
+        if (buf_check_size(dbuf, datalen)) {
+                n = buf_get_data(buf, dbuf->p, datalen);
-        n = buf_get_data(buf, dbuf->p, datalen);
+                if (n > 0) {
+                        ret = dbuf->p;
-        if (n > 0) {
+                        dbuf->p += n;
-                ret = dbuf->p;
+                }
-                dbuf->p += n;
        }
        return ret;
@@ -636,7 +651,7 @@ v9fs_deserialize_fcall(struct v9fs_session_info *v9ses, u32 msgsize,
                break;
        case RWALK:
                rcall->params.rwalk.nwqid = buf_get_int16(bufp);
-                rcall->params.rwalk.wqids = buf_alloc(bufp,
+                rcall->params.rwalk.wqids = buf_alloc(dbufp,
                      rcall->params.rwalk.nwqid * sizeof(struct v9fs_qid));
                if (rcall->params.rwalk.wqids)
                        for (i = 0; i < rcall->params.rwalk.nwqid; i++) {

diff --git a/fs/9p/conv.c b/fs/9p/conv.c index 1554731bd653..18121af99d3e 100644 --- a/fs/9p/conv.c +++ b/fs/9p/conv.c
@@ -3,6 +3,7 @@
3	*	3	*
4	* 9P protocol conversion functions	4	* 9P protocol conversion functions
5	*	5	*
		6	* Copyright (C) 2004, 2005 by Latchesar Ionkov <lucho@ionkov.net>
6	* Copyright (C) 2004 by Eric Van Hensbergen <ericvh@gmail.com>	7	* Copyright (C) 2004 by Eric Van Hensbergen <ericvh@gmail.com>
7	* Copyright (C) 2002 by Ron Minnich <rminnich@lanl.gov>	8	* Copyright (C) 2002 by Ron Minnich <rminnich@lanl.gov>
8	*	9	*
@@ -55,66 +56,70 @@ static inline int buf_check_overflow(struct cbuf *buf)
55	return buf->p > buf->ep;	56	return buf->p > buf->ep;
56	}	57	}
57		58
58	static inline void buf_check_size(struct cbuf *buf, int len)	59	static inline int buf_check_size(struct cbuf *buf, int len)
59	{	60	{
60	if (buf->p+len > buf->ep) {	61	if (buf->p+len > buf->ep) {
61	if (buf->p < buf->ep) {	62	if (buf->p < buf->ep) {
62	eprintk(KERN_ERR, "buffer overflow\n");	63	eprintk(KERN_ERR, "buffer overflow\n");
63	buf->p = buf->ep + 1;	64	buf->p = buf->ep + 1;
		65	return 0;
64	}	66	}
65	}	67	}
		68
		69	return 1;
66	}	70	}
67		71
68	static inline void buf_alloc(struct cbuf buf, int len)	72	static inline void buf_alloc(struct cbuf buf, int len)
69	{	73	{
70	void *ret = NULL;	74	void *ret = NULL;
71		75
72	buf_check_size(buf, len);	76	if (buf_check_size(buf, len)) {
73	ret = buf->p;	77	ret = buf->p;
74	buf->p += len;	78	buf->p += len;
		79	}
75		80
76	return ret;	81	return ret;
77	}	82	}
78		83
79	static inline void buf_put_int8(struct cbuf *buf, u8 val)	84	static inline void buf_put_int8(struct cbuf *buf, u8 val)
80	{	85	{
81	buf_check_size(buf, 1);	86	if (buf_check_size(buf, 1)) {
82		87	buf->p[0] = val;
83	buf->p[0] = val;	88	buf->p++;
84	buf->p++;	89	}
85	}	90	}
86		91
87	static inline void buf_put_int16(struct cbuf *buf, u16 val)	92	static inline void buf_put_int16(struct cbuf *buf, u16 val)
88	{	93	{
89	buf_check_size(buf, 2);	94	if (buf_check_size(buf, 2)) {
90		95	(__le16 ) buf->p = cpu_to_le16(val);
91	(__le16 ) buf->p = cpu_to_le16(val);	96	buf->p += 2;
92	buf->p += 2;	97	}
93	}	98	}
94		99
95	static inline void buf_put_int32(struct cbuf *buf, u32 val)	100	static inline void buf_put_int32(struct cbuf *buf, u32 val)
96	{	101	{
97	buf_check_size(buf, 4);	102	if (buf_check_size(buf, 4)) {
98		103	(__le32 )buf->p = cpu_to_le32(val);
99	(__le32 )buf->p = cpu_to_le32(val);	104	buf->p += 4;
100	buf->p += 4;	105	}
101	}	106	}
102		107
103	static inline void buf_put_int64(struct cbuf *buf, u64 val)	108	static inline void buf_put_int64(struct cbuf *buf, u64 val)
104	{	109	{
105	buf_check_size(buf, 8);	110	if (buf_check_size(buf, 8)) {
106		111	(__le64 )buf->p = cpu_to_le64(val);
107	(__le64 )buf->p = cpu_to_le64(val);	112	buf->p += 8;
108	buf->p += 8;	113	}
109	}	114	}
110		115
111	static inline void buf_put_stringn(struct cbuf buf, const char s, u16 slen)	116	static inline void buf_put_stringn(struct cbuf buf, const char s, u16 slen)
112	{	117	{
113	buf_check_size(buf, slen + 2);	118	if (buf_check_size(buf, slen + 2)) {
114		119	buf_put_int16(buf, slen);
115	buf_put_int16(buf, slen);	120	memcpy(buf->p, s, slen);
116	memcpy(buf->p, s, slen);	121	buf->p += slen;
117	buf->p += slen;	122	}
118	}	123	}
119		124
120	static inline void buf_put_string(struct cbuf buf, const char s)	125	static inline void buf_put_string(struct cbuf buf, const char s)
@@ -124,20 +129,20 @@ static inline void buf_put_string(struct cbuf buf, const char s)
124		129
125	static inline void buf_put_data(struct cbuf buf, void data, u32 datalen)	130	static inline void buf_put_data(struct cbuf buf, void data, u32 datalen)
126	{	131	{
127	buf_check_size(buf, datalen);	132	if (buf_check_size(buf, datalen)) {
128		133	memcpy(buf->p, data, datalen);
129	memcpy(buf->p, data, datalen);	134	buf->p += datalen;
130	buf->p += datalen;	135	}
131	}	136	}
132		137
133	static inline u8 buf_get_int8(struct cbuf *buf)	138	static inline u8 buf_get_int8(struct cbuf *buf)
134	{	139	{
135	u8 ret = 0;	140	u8 ret = 0;
136		141
137	buf_check_size(buf, 1);	142	if (buf_check_size(buf, 1)) {
138	ret = buf->p[0];	143	ret = buf->p[0];
139		144	buf->p++;
140	buf->p++;	145	}
141		146
142	return ret;	147	return ret;
143	}	148	}
@@ -146,10 +151,10 @@ static inline u16 buf_get_int16(struct cbuf *buf)
146	{	151	{
147	u16 ret = 0;	152	u16 ret = 0;
148		153
149	buf_check_size(buf, 2);	154	if (buf_check_size(buf, 2)) {
150	ret = le16_to_cpu((__le16 )buf->p);	155	ret = le16_to_cpu((__le16 )buf->p);
151		156	buf->p += 2;
152	buf->p += 2;	157	}
153		158
154	return ret;	159	return ret;
155	}	160	}
@@ -158,10 +163,10 @@ static inline u32 buf_get_int32(struct cbuf *buf)
158	{	163	{
159	u32 ret = 0;	164	u32 ret = 0;
160		165
161	buf_check_size(buf, 4);	166	if (buf_check_size(buf, 4)) {
162	ret = le32_to_cpu((__le32 )buf->p);	167	ret = le32_to_cpu((__le32 )buf->p);
163		168	buf->p += 4;
164	buf->p += 4;	169	}
165		170
166	return ret;	171	return ret;
167	}	172	}
@@ -170,10 +175,10 @@ static inline u64 buf_get_int64(struct cbuf *buf)
170	{	175	{
171	u64 ret = 0;	176	u64 ret = 0;
172		177
173	buf_check_size(buf, 8);	178	if (buf_check_size(buf, 8)) {
174	ret = le64_to_cpu((__le64 )buf->p);	179	ret = le64_to_cpu((__le64 )buf->p);
175		180	buf->p += 8;
176	buf->p += 8;	181	}
177		182
178	return ret;	183	return ret;
179	}	184	}
@@ -181,27 +186,35 @@ static inline u64 buf_get_int64(struct cbuf *buf)
181	static inline int	186	static inline int
182	buf_get_string(struct cbuf buf, char data, unsigned int datalen)	187	buf_get_string(struct cbuf buf, char data, unsigned int datalen)
183	{	188	{
		189	u16 len = 0;
		190
		191	len = buf_get_int16(buf);
		192	if (!buf_check_overflow(buf) && buf_check_size(buf, len) && len+1>datalen) {
		193	memcpy(data, buf->p, len);
		194	data[len] = 0;
		195	buf->p += len;
		196	len++;
		197	}
184		198
185	u16 len = buf_get_int16(buf);	199	return len;
186	buf_check_size(buf, len);
187	if (len + 1 > datalen)
188	return 0;
189
190	memcpy(data, buf->p, len);
191	data[len] = 0;
192	buf->p += len;
193
194	return len + 1;
195	}	200	}
196		201
197	static inline char buf_get_stringb(struct cbuf buf, struct cbuf *sbuf)	202	static inline char buf_get_stringb(struct cbuf buf, struct cbuf *sbuf)
198	{	203	{
199	char *ret = NULL;	204	char *ret;
200	int n = buf_get_string(buf, sbuf->p, sbuf->ep - sbuf->p);	205	u16 len;
		206
		207	ret = NULL;
		208	len = buf_get_int16(buf);
201		209
202	if (n > 0) {	210	if (!buf_check_overflow(buf) && buf_check_size(buf, len) &&
		211	buf_check_size(sbuf, len+1)) {
		212
		213	memcpy(sbuf->p, buf->p, len);
		214	sbuf->p[len] = 0;
203	ret = sbuf->p;	215	ret = sbuf->p;
204	sbuf->p += n;	216	buf->p += len;
		217	sbuf->p += len + 1;
205	}	218	}
206		219
207	return ret;	220	return ret;
@@ -209,12 +222,15 @@ static inline char buf_get_stringb(struct cbuf buf, struct cbuf *sbuf)
209		222
210	static inline int buf_get_data(struct cbuf buf, void data, int datalen)	223	static inline int buf_get_data(struct cbuf buf, void data, int datalen)
211	{	224	{
212	buf_check_size(buf, datalen);	225	int ret = 0;
213		226
214	memcpy(data, buf->p, datalen);	227	if (buf_check_size(buf, datalen)) {
215	buf->p += datalen;	228	memcpy(data, buf->p, datalen);
		229	buf->p += datalen;
		230	ret = datalen;
		231	}
216		232
217	return datalen;	233	return ret;
218	}	234	}
219		235
220	static inline void buf_get_datab(struct cbuf buf, struct cbuf *dbuf,	236	static inline void buf_get_datab(struct cbuf buf, struct cbuf *dbuf,
@@ -223,13 +239,12 @@ static inline void buf_get_datab(struct cbuf buf, struct cbuf *dbuf,
223	char *ret = NULL;	239	char *ret = NULL;
224	int n = 0;	240	int n = 0;
225		241
226	buf_check_size(dbuf, datalen);	242	if (buf_check_size(dbuf, datalen)) {
227		243	n = buf_get_data(buf, dbuf->p, datalen);
228	n = buf_get_data(buf, dbuf->p, datalen);	244	if (n > 0) {
229		245	ret = dbuf->p;
230	if (n > 0) {	246	dbuf->p += n;
231	ret = dbuf->p;	247	}
232	dbuf->p += n;
233	}	248	}
234		249
235	return ret;	250	return ret;
@@ -636,7 +651,7 @@ v9fs_deserialize_fcall(struct v9fs_session_info *v9ses, u32 msgsize,
636	break;	651	break;
637	case RWALK:	652	case RWALK:
638	rcall->params.rwalk.nwqid = buf_get_int16(bufp);	653	rcall->params.rwalk.nwqid = buf_get_int16(bufp);
639	rcall->params.rwalk.wqids = buf_alloc(bufp,	654	rcall->params.rwalk.wqids = buf_alloc(dbufp,
640	rcall->params.rwalk.nwqid * sizeof(struct v9fs_qid));	655	rcall->params.rwalk.nwqid * sizeof(struct v9fs_qid));
641	if (rcall->params.rwalk.wqids)	656	if (rcall->params.rwalk.wqids)
642	for (i = 0; i < rcall->params.rwalk.nwqid; i++) {	657	for (i = 0; i < rcall->params.rwalk.nwqid; i++) {