Commit 2aeb0311 authored by Neil Brown's avatar Neil Brown Committed by James Bottomley

[PATCH] Bounds checking for NFSv3 readdirplus

From Ted Phelps <phelps@dstc.edu.au>

The NFSv3 readdirplus path doesn't check to see if maxcount is less
than the size of a page before it fills it up, possibly overwriting
random bits of memory.  At least, it makes my Solaris NFSv3 client
work.

The attached patch, against 2.5.58, adds this check in a way which is
consistent with the way readdir does under both NFSv2 andNFSv3.
parent e7308b44
...@@ -578,6 +578,9 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, u32 *p, ...@@ -578,6 +578,9 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, u32 *p,
args->dircount = ntohl(*p++); args->dircount = ntohl(*p++);
args->count = ntohl(*p++); args->count = ntohl(*p++);
if (args->count > PAGE_SIZE)
args->count = PAGE_SIZE;
svc_take_page(rqstp); svc_take_page(rqstp);
args->buffer = page_address(rqstp->rq_respages[rqstp->rq_resused-1]); args->buffer = page_address(rqstp->rq_respages[rqstp->rq_resused-1]);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment