Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
nfsd: more careful input validation in nfsctl write methods
Neil Brown points out that we're checking buf[size-1] in a couple places
without first checking whether size is zero.
Actually, given the implementation of simple_transaction_get(), buf[-1]
is zero, so in both of these cases the subsequent check of the value of
buf[size-1] will catch this case.
But it seems fragile to depend on that, so add explicit checks for this
case.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Acked-by: NeilBrown <neilb@suse.de>
+4
-1
fs/nfsd/nfsctl.c
+4
-1
fs/nfsd/nfsctl.c
···
304
304
struct auth_domain *dom;
305
305
struct knfsd_fh fh;
306
306
307
+
if (size == 0)
308
+
return -EINVAL;
309
+
307
310
if (buf[size-1] != '\n')
308
311
return -EINVAL;
309
312
buf[size-1] = 0;
···
666
663
char *recdir;
667
664
int len, status;
668
665
669
-
if (size > PATH_MAX || buf[size-1] != '\n')
666
+
if (size == 0 || size > PATH_MAX || buf[size-1] != '\n')
670
667
return -EINVAL;
671
668
buf[size-1] = 0;
672
669