commit 87d26ea7771ad637035e6bd5a2700d81ee9162da · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

nfsd: more careful input validation in nfsctl write methods

Neil Brown points out that we're checking buf[size-1] in a couple places
without first checking whether size is zero.

Actually, given the implementation of simple_transaction_get(), buf[-1]
is zero, so in both of these cases the subsequent check of the value of
buf[size-1] will catch this case.

But it seems fragile to depend on that, so add explicit checks for this
case.

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Acked-by: NeilBrown <neilb@suse.de>

J. Bruce Fields 18 years ago 87d26ea7 50431d94

+4 -1

1 changed file

expand all

unified split

nfsd

nfsctl.c

+4 -1

fs/nfsd/nfsctl.c

··· 304 struct auth_domain *dom; 305 struct knfsd_fh fh; 306 307 if (buf[size-1] != '\n') 308 return -EINVAL; 309 buf[size-1] = 0; ··· 666 char *recdir; 667 int len, status; 668 669 - if (size > PATH_MAX || buf[size-1] != '\n') 670 return -EINVAL; 671 buf[size-1] = 0; 672

··· 304 struct auth_domain *dom; 305 struct knfsd_fh fh; 306 307 + if (size == 0) 308 + return -EINVAL; 309 + 310 if (buf[size-1] != '\n') 311 return -EINVAL; 312 buf[size-1] = 0; ··· 663 char *recdir; 664 int len, status; 665 666 + if (size == 0 || size > PATH_MAX || buf[size-1] != '\n') 667 return -EINVAL; 668 buf[size-1] = 0; 669