diff options
author | NeilBrown <neilb@cse.unsw.edu.au> | 2005-11-07 10:00:26 +0100 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-11-07 16:53:48 +0100 |
commit | 0ba7536d5d47e4ecf2259a80b207158dc4e711eb (patch) | |
tree | 0e8528e65f25b9992cfad43e74018a0986f46c38 /fs | |
parent | [PATCH] knfsd: Allow run-time selection of NFS versions to export (diff) | |
download | linux-0ba7536d5d47e4ecf2259a80b207158dc4e711eb.tar.xz linux-0ba7536d5d47e4ecf2259a80b207158dc4e711eb.zip |
[PATCH] knfsd: Fix some minor sign problems in nfsd/xdr
There are a couple of tests which could possibly be confused by extremely
large numbers appearing in 'xdr' packets. I think the closest to an exploit
you could get would be writing random data from a free page into a file - i.e.
leak data out of kernel space.
I'm fairly sure they cannot be used for remote compromise.
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/nfsd/nfs3xdr.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c index e0e134d6baba..9147b8524d05 100644 --- a/fs/nfsd/nfs3xdr.c +++ b/fs/nfsd/nfs3xdr.c @@ -366,7 +366,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, u32 *p, len = args->len = ntohl(*p++); hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; - if (rqstp->rq_arg.len < len + hdr) + if (rqstp->rq_arg.len < hdr || + rqstp->rq_arg.len - hdr < len) return 0; args->vec[0].iov_base = (void*)p; |