diff options
Diffstat (limited to 'fs/nfs')
| -rw-r--r-- | fs/nfs/nfs4xdr.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c index 54d3f5a9faa6..1bfbd67c556d 100644 --- a/fs/nfs/nfs4xdr.c +++ b/fs/nfs/nfs4xdr.c | |||
| @@ -5045,10 +5045,10 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req, | |||
| 5045 | struct nfs_getaclres *res) | 5045 | struct nfs_getaclres *res) |
| 5046 | { | 5046 | { |
| 5047 | unsigned int savep; | 5047 | unsigned int savep; |
| 5048 | __be32 *bm_p; | ||
| 5049 | uint32_t attrlen, | 5048 | uint32_t attrlen, |
| 5050 | bitmap[3] = {0}; | 5049 | bitmap[3] = {0}; |
| 5051 | int status; | 5050 | int status; |
| 5051 | unsigned int pg_offset; | ||
| 5052 | 5052 | ||
| 5053 | res->acl_len = 0; | 5053 | res->acl_len = 0; |
| 5054 | if ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0) | 5054 | if ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0) |
| @@ -5056,7 +5056,8 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req, | |||
| 5056 | 5056 | ||
| 5057 | xdr_enter_page(xdr, xdr->buf->page_len); | 5057 | xdr_enter_page(xdr, xdr->buf->page_len); |
| 5058 | 5058 | ||
| 5059 | bm_p = xdr->p; | 5059 | /* Calculate the offset of the page data */ |
| 5060 | pg_offset = xdr->buf->head[0].iov_len; | ||
| 5060 | 5061 | ||
| 5061 | if ((status = decode_attr_bitmap(xdr, bitmap)) != 0) | 5062 | if ((status = decode_attr_bitmap(xdr, bitmap)) != 0) |
| 5062 | goto out; | 5063 | goto out; |
| @@ -5070,18 +5071,18 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req, | |||
| 5070 | /* The bitmap (xdr len + bitmaps) and the attr xdr len words | 5071 | /* The bitmap (xdr len + bitmaps) and the attr xdr len words |
| 5071 | * are stored with the acl data to handle the problem of | 5072 | * are stored with the acl data to handle the problem of |
| 5072 | * variable length bitmaps.*/ | 5073 | * variable length bitmaps.*/ |
| 5073 | res->acl_data_offset = (xdr->p - bm_p) << 2; | 5074 | res->acl_data_offset = xdr_stream_pos(xdr) - pg_offset; |
| 5074 | 5075 | ||
| 5075 | /* We ignore &savep and don't do consistency checks on | 5076 | /* We ignore &savep and don't do consistency checks on |
| 5076 | * the attr length. Let userspace figure it out.... */ | 5077 | * the attr length. Let userspace figure it out.... */ |
| 5077 | res->acl_len = attrlen; | 5078 | res->acl_len = attrlen; |
| 5078 | if (attrlen + res->acl_data_offset > xdr->buf->page_len) { | 5079 | if (attrlen > (xdr->nwords << 2)) { |
| 5079 | if (res->acl_flags & NFS4_ACL_LEN_REQUEST) { | 5080 | if (res->acl_flags & NFS4_ACL_LEN_REQUEST) { |
| 5080 | /* getxattr interface called with a NULL buf */ | 5081 | /* getxattr interface called with a NULL buf */ |
| 5081 | goto out; | 5082 | goto out; |
| 5082 | } | 5083 | } |
| 5083 | dprintk("NFS: acl reply: attrlen %u > page_len %u\n", | 5084 | dprintk("NFS: acl reply: attrlen %u > page_len %u\n", |
| 5084 | attrlen, xdr->buf->page_len); | 5085 | attrlen, xdr->nwords << 2); |
| 5085 | return -EINVAL; | 5086 | return -EINVAL; |
| 5086 | } | 5087 | } |
| 5087 | } else | 5088 | } else |