[PATCH] bounds checking for NFSv3 readdirplus

Ted Phelps (phelps@dstc.edu.au)
Tue, 14 Jan 2003 20:49:12 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Richard B. Johnson: "Re: Changing argv[0] under Linux."
Previous message: Larry McVoy: "Re: [OFFTOPIC] RMS and reactions to him"

The NFSv3 readdirplus path doesn't check to see if maxcount is less
than the size of a page before it fills it up, possibly overwriting
random bits of memory. At least, it makes my Solaris NFSv3 client
work.

The attached patch, against 2.5.58, adds this check in a way which is
consistent with the way readdir does under both NFSv2 andNFSv3.

Thanks,
-Ted

---8<---

diff -Naur linux-2.5.58-orig/fs/nfsd/nfs3xdr.c linux-2.5.58/fs/nfsd/nfs3xdr.c
--- linux-2.5.58-orig/fs/nfsd/nfs3xdr.c 2003-01-10 09:41:52.000000000 +0000
+++ linux-2.5.58/fs/nfsd/nfs3xdr.c 2003-01-14 19:57:03.000000000 +0000
@@ -578,6 +578,9 @@
args->dircount = ntohl(*p++);
args->count = ntohl(*p++);

+ if (args->count > PAGE_SIZE)
+ args->count = PAGE_SIZE;
+
svc_take_page(rqstp);
args->buffer = page_address(rqstp->rq_respages[rqstp->rq_resused-1]);

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Richard B. Johnson: "Re: Changing argv[0] under Linux."
Previous message: Larry McVoy: "Re: [OFFTOPIC] RMS and reactions to him"