1 files changed, 5 insertions, 9 deletions
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index 1bfbd67c556d..541e796e6db5 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -5072,18 +5072,14 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
                 * are stored with the acl data to handle the problem of
                 * variable length bitmaps.*/
                res->acl_data_offset = xdr_stream_pos(xdr) - pg_offset;
-                /* We ignore &savep and don't do consistency checks on
-                 * the attr length.  Let userspace figure it out.... */
                res->acl_len = attrlen;
-                if (attrlen > (xdr->nwords << 2)) {
-                        if (res->acl_flags & NFS4_ACL_LEN_REQUEST) {
+                /* Check for receive buffer overflow */
-                                /* getxattr interface called with a NULL buf */
+                if (res->acl_len > (xdr->nwords << 2) ||
-                                goto out;
+                    res->acl_len + res->acl_data_offset > xdr->buf->page_len) {
-                        }
+                        res->acl_flags |= NFS4_ACL_TRUNC;
                        dprintk("NFS: acl reply: attrlen %u > page_len %u\n",
                                        attrlen, xdr->nwords << 2);
-                        return -EINVAL;
                }
        } else
                status = -EOPNOTSUPP;

diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c index 1bfbd67c556d..541e796e6db5 100644 --- a/fs/nfs/nfs4xdr.c +++ b/fs/nfs/nfs4xdr.c
@@ -5072,18 +5072,14 @@ static int decode_getacl(struct xdr_stream xdr, struct rpc_rqst req,
5072	* are stored with the acl data to handle the problem of	5072	* are stored with the acl data to handle the problem of
5073	* variable length bitmaps.*/	5073	* variable length bitmaps.*/
5074	res->acl_data_offset = xdr_stream_pos(xdr) - pg_offset;	5074	res->acl_data_offset = xdr_stream_pos(xdr) - pg_offset;
5075
5076	/* We ignore &savep and don't do consistency checks on
5077	* the attr length. Let userspace figure it out.... */
5078	res->acl_len = attrlen;	5075	res->acl_len = attrlen;
5079	if (attrlen > (xdr->nwords << 2)) {	5076
5080	if (res->acl_flags & NFS4_ACL_LEN_REQUEST) {	5077	/* Check for receive buffer overflow */
5081	/* getxattr interface called with a NULL buf */	5078	if (res->acl_len > (xdr->nwords << 2) \|\|
5082	goto out;	5079	res->acl_len + res->acl_data_offset > xdr->buf->page_len) {
5083	}	5080	res->acl_flags \|= NFS4_ACL_TRUNC;
5084	dprintk("NFS: acl reply: attrlen %u > page_len %u\n",	5081	dprintk("NFS: acl reply: attrlen %u > page_len %u\n",
5085	attrlen, xdr->nwords << 2);	5082	attrlen, xdr->nwords << 2);
5086	return -EINVAL;
5087	}	5083	}
5088	} else	5084	} else
5089	status = -EOPNOTSUPP;	5085	status = -EOPNOTSUPP;