Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
NFS: Correct the array bound calculation in nfs_readdir_add_to_array
It looks as if the array size calculation in MAX_READDIR_ARRAY does not
take the alignment of struct nfs_cache_array_entry into account.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+6
-5
fs/nfs/dir.c
+6
-5
fs/nfs/dir.c
···
171
struct nfs_cache_array_entry array[0];
172
};
173
174
-
#define MAX_READDIR_ARRAY ((PAGE_SIZE - sizeof(struct nfs_cache_array)) / sizeof(struct nfs_cache_array_entry))
175
-
176
typedef __be32 * (*decode_dirent_t)(struct xdr_stream *, struct nfs_entry *, struct nfs_server *, int);
177
typedef struct {
178
struct file *file;
···
255
256
if (IS_ERR(array))
257
return PTR_ERR(array);
258
-
ret = -ENOSPC;
259
-
if (array->size >= MAX_READDIR_ARRAY)
260
-
goto out;
261
262
cache_entry = &array->array[array->size];
263
cache_entry->cookie = entry->prev_cookie;
264
cache_entry->ino = entry->ino;
265
ret = nfs_readdir_make_qstr(&cache_entry->string, entry->name, entry->len);
···
171
struct nfs_cache_array_entry array[0];
172
};
173
174
typedef __be32 * (*decode_dirent_t)(struct xdr_stream *, struct nfs_entry *, struct nfs_server *, int);
175
typedef struct {
176
struct file *file;
···
257
258
if (IS_ERR(array))
259
return PTR_ERR(array);
260
261
cache_entry = &array->array[array->size];
262
+
263
+
/* Check that this entry lies within the page bounds */
264
+
ret = -ENOSPC;
265
+
if ((char *)&cache_entry[1] - (char *)page_address(page) > PAGE_SIZE)
266
+
goto out;
267
+
268
cache_entry->cookie = entry->prev_cookie;
269
cache_entry->ino = entry->ino;
270
ret = nfs_readdir_make_qstr(&cache_entry->string, entry->name, entry->len);