diff options
Diffstat (limited to 'fs/nfs/nfs4xdr.c')
| -rw-r--r-- | fs/nfs/nfs4xdr.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c index 1750d996f49f..730ec8fb31c6 100644 --- a/fs/nfs/nfs4xdr.c +++ b/fs/nfs/nfs4xdr.c | |||
| @@ -3355,7 +3355,7 @@ static int decode_readdir(struct xdr_stream *xdr, struct rpc_rqst *req, struct n | |||
| 3355 | struct kvec *iov = rcvbuf->head; | 3355 | struct kvec *iov = rcvbuf->head; |
| 3356 | unsigned int nr, pglen = rcvbuf->page_len; | 3356 | unsigned int nr, pglen = rcvbuf->page_len; |
| 3357 | uint32_t *end, *entry, *p, *kaddr; | 3357 | uint32_t *end, *entry, *p, *kaddr; |
| 3358 | uint32_t len, attrlen; | 3358 | uint32_t len, attrlen, xlen; |
| 3359 | int hdrlen, recvd, status; | 3359 | int hdrlen, recvd, status; |
| 3360 | 3360 | ||
| 3361 | status = decode_op_hdr(xdr, OP_READDIR); | 3361 | status = decode_op_hdr(xdr, OP_READDIR); |
| @@ -3377,10 +3377,10 @@ static int decode_readdir(struct xdr_stream *xdr, struct rpc_rqst *req, struct n | |||
| 3377 | 3377 | ||
| 3378 | BUG_ON(pglen + readdir->pgbase > PAGE_CACHE_SIZE); | 3378 | BUG_ON(pglen + readdir->pgbase > PAGE_CACHE_SIZE); |
| 3379 | kaddr = p = (uint32_t *) kmap_atomic(page, KM_USER0); | 3379 | kaddr = p = (uint32_t *) kmap_atomic(page, KM_USER0); |
| 3380 | end = (uint32_t *) ((char *)p + pglen + readdir->pgbase); | 3380 | end = p + ((pglen + readdir->pgbase) >> 2); |
| 3381 | entry = p; | 3381 | entry = p; |
| 3382 | for (nr = 0; *p++; nr++) { | 3382 | for (nr = 0; *p++; nr++) { |
| 3383 | if (p + 3 > end) | 3383 | if (end - p < 3) |
| 3384 | goto short_pkt; | 3384 | goto short_pkt; |
| 3385 | dprintk("cookie = %Lu, ", *((unsigned long long *)p)); | 3385 | dprintk("cookie = %Lu, ", *((unsigned long long *)p)); |
| 3386 | p += 2; /* cookie */ | 3386 | p += 2; /* cookie */ |
| @@ -3389,18 +3389,19 @@ static int decode_readdir(struct xdr_stream *xdr, struct rpc_rqst *req, struct n | |||
| 3389 | printk(KERN_WARNING "NFS: giant filename in readdir (len 0x%x)\n", len); | 3389 | printk(KERN_WARNING "NFS: giant filename in readdir (len 0x%x)\n", len); |
| 3390 | goto err_unmap; | 3390 | goto err_unmap; |
| 3391 | } | 3391 | } |
| 3392 | dprintk("filename = %*s\n", len, (char *)p); | 3392 | xlen = XDR_QUADLEN(len); |
| 3393 | p += XDR_QUADLEN(len); | 3393 | if (end - p < xlen + 1) |
| 3394 | if (p + 1 > end) | ||
| 3395 | goto short_pkt; | 3394 | goto short_pkt; |
| 3395 | dprintk("filename = %*s\n", len, (char *)p); | ||
| 3396 | p += xlen; | ||
| 3396 | len = ntohl(*p++); /* bitmap length */ | 3397 | len = ntohl(*p++); /* bitmap length */ |
| 3397 | p += len; | 3398 | if (end - p < len + 1) |
| 3398 | if (p + 1 > end) | ||
| 3399 | goto short_pkt; | 3399 | goto short_pkt; |
| 3400 | p += len; | ||
| 3400 | attrlen = XDR_QUADLEN(ntohl(*p++)); | 3401 | attrlen = XDR_QUADLEN(ntohl(*p++)); |
| 3401 | p += attrlen; /* attributes */ | 3402 | if (end - p < attrlen + 2) |
| 3402 | if (p + 2 > end) | ||
| 3403 | goto short_pkt; | 3403 | goto short_pkt; |
| 3404 | p += attrlen; /* attributes */ | ||
| 3404 | entry = p; | 3405 | entry = p; |
| 3405 | } | 3406 | } |
| 3406 | if (!nr && (entry[0] != 0 || entry[1] == 0)) | 3407 | if (!nr && (entry[0] != 0 || entry[1] == 0)) |