summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPan Bian <bianpan2016@163.com>2017-04-23 08:49:41 +0200
committerTrond Myklebust <trond.myklebust@primarydata.com>2017-04-28 19:06:59 +0200
commit4edabfd7d0f7d39eeda8ffac76d9e884c22951d9 (patch)
treedf89653068ba714a55f6e4429dc7269e1588a9d6
parentnfs/filelayout: fix NULL pointer dereference in fl_pnfs_update_layout() (diff)
downloadlinux-4edabfd7d0f7d39eeda8ffac76d9e884c22951d9.tar.xz
linux-4edabfd7d0f7d39eeda8ffac76d9e884c22951d9.zip
NFSv4: check return value of xdr_inline_decode
Function xdr_inline_decode() will return a NULL pointer if the input buffer does not have long enough buffer to decode nbytes of data. However, in function decode_op_map(), the return value of xdr_inline_decode() is not validated before it is used. This patch adds a check to the return value of xdr_inline_decode(). Signed-off-by: Pan Bian <bianpan2016@163.com> Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
-rw-r--r--fs/nfs/nfs4xdr.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index 125212588115..dbfe48ac3529 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -5570,6 +5570,8 @@ static int decode_op_map(struct xdr_stream *xdr, struct nfs4_op_map *op_map)
unsigned int i;
p = xdr_inline_decode(xdr, 4);
+ if (!p)
+ return -EIO;
bitmap_words = be32_to_cpup(p++);
if (bitmap_words > NFS4_OP_MAP_NUM_WORDS)
return -EIO;