diff options
author | Trond Myklebust <trond.myklebust@hammerspace.com> | 2021-11-04 22:33:36 +0100 |
---|---|---|
committer | Trond Myklebust <trond.myklebust@hammerspace.com> | 2021-11-05 19:54:30 +0100 |
commit | f114759c322edb4f293941a62748e31858852cd1 (patch) | |
tree | 5626a745bccf8190c65f120a6a42f330082da23b /fs | |
parent | NFSv4: Ensure decode_compound_hdr() sanity checks the tag (diff) | |
download | linux-f114759c322edb4f293941a62748e31858852cd1.tar.xz linux-f114759c322edb4f293941a62748e31858852cd1.zip |
NFSv4: Fix potential Oops in decode_op_map()
The return value of xdr_inline_decode() is not being checked, leading to
a potential Oops. Just replace the open coded array decode with the
generic XDR version.
Reported-by: <rtm@csail.mit.edu>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/nfs/nfs4xdr.c | 15 |
1 files changed, 2 insertions, 13 deletions
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c index f206d41d6bee..63a12181e6c7 100644 --- a/fs/nfs/nfs4xdr.c +++ b/fs/nfs/nfs4xdr.c @@ -5575,20 +5575,9 @@ static int decode_secinfo_no_name(struct xdr_stream *xdr, struct nfs4_secinfo_re static int decode_op_map(struct xdr_stream *xdr, struct nfs4_op_map *op_map) { - __be32 *p; - uint32_t bitmap_words; - unsigned int i; - - p = xdr_inline_decode(xdr, 4); - if (!p) - return -EIO; - bitmap_words = be32_to_cpup(p++); - if (bitmap_words > NFS4_OP_MAP_NUM_WORDS) + if (xdr_stream_decode_uint32_array(xdr, op_map->u.words, + ARRAY_SIZE(op_map->u.words)) < 0) return -EIO; - p = xdr_inline_decode(xdr, 4 * bitmap_words); - for (i = 0; i < bitmap_words; i++) - op_map->u.words[i] = be32_to_cpup(p++); - return 0; } |