Commit a11317b1 authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] Subject: [PATCH] Fix overflow bug in READDIRPLUS...

From: Trond Myklebust <trond.myklebust@fys.uio.no>

Fixes the Oops reported by Paul Blazejowski.  Bug turned out to be in the page
overflow checking for READDIRPLUS.
parent 1908da86
......@@ -536,16 +536,16 @@ nfs3_xdr_readdirres(struct rpc_rqst *req, u32 *p, struct nfs3_readdirres *res)
if (res->plus) {
/* post_op_attr */
if (p > end)
if (p + 2 > end)
goto short_pkt;
if (*p++) {
p += 21;
if (p > end)
if (p + 1 > end)
goto short_pkt;
}
/* post_op_fh3 */
if (*p++) {
if (p > end)
if (p + 1 > end)
goto short_pkt;
len = ntohl(*p++);
if (len > NFS3_FHSIZE) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment