[PATCH] knfsd: Fix some minor sign problems in nfsd/xdr
There are a couple of tests which could possibly be confused by extremely large numbers appearing in 'xdr' packets. I think the closest to an exploit you could get would be writing random data from a free page into a file - i.e. leak data out of kernel space. I'm fairly sure they cannot be used for remote compromise. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
70c3b76c28
commit
0ba7536d5d
3 changed files with 5 additions and 3 deletions
|
@ -366,7 +366,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, u32 *p,
|
|||
len = args->len = ntohl(*p++);
|
||||
|
||||
hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
|
||||
if (rqstp->rq_arg.len < len + hdr)
|
||||
if (rqstp->rq_arg.len < hdr ||
|
||||
rqstp->rq_arg.len - hdr < len)
|
||||
return 0;
|
||||
|
||||
args->vec[0].iov_base = (void*)p;
|
||||
|
|
|
@ -42,7 +42,7 @@ struct nfsd3_writeargs {
|
|||
__u64 offset;
|
||||
__u32 count;
|
||||
int stable;
|
||||
int len;
|
||||
__u32 len;
|
||||
struct kvec vec[RPCSVC_MAXPAGES];
|
||||
int vlen;
|
||||
};
|
||||
|
|
|
@ -171,7 +171,8 @@ xdr_argsize_check(struct svc_rqst *rqstp, u32 *p)
|
|||
{
|
||||
char *cp = (char *)p;
|
||||
struct kvec *vec = &rqstp->rq_arg.head[0];
|
||||
return cp - (char*)vec->iov_base <= vec->iov_len;
|
||||
return cp >= (char*)vec->iov_base
|
||||
&& cp <= (char*)vec->iov_base + vec->iov_len;
|
||||
}
|
||||
|
||||
static inline int
|
||||
|
|
Loading…
Reference in a new issue