tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

NFS: Fix filehandle size comparisons in the mount code

Fix a sign issue in xdr_decode_fhstatus3()
Fix incorrect comparison in nfs_validate_mount_data()

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

Trond Myklebust b7e24457 33852a1f

+7 -6
unified split
+3 -2
fs/nfs/mount_clnt.c
··· 130 struct mnt_fhstatus *res) 131 { 132 struct nfs_fh *fh = res->fh; 133 134 if ((res->status = ntohl(*p++)) == 0) { 135 - int size = ntohl(*p++); 136 - if (size <= NFS3_FHSIZE) { 137 fh->size = size; 138 memcpy(fh->data, p, size); 139 } else
··· 130 struct mnt_fhstatus *res) 131 { 132 struct nfs_fh *fh = res->fh; 133 + unsigned size; 134 135 if ((res->status = ntohl(*p++)) == 0) { 136 + size = ntohl(*p++); 137 + if (size <= NFS3_FHSIZE && size != 0) { 138 fh->size = size; 139 memcpy(fh->data, p, size); 140 } else
+4 -4
fs/nfs/super.c
··· 1249 case 5: 1250 memset(data->context, 0, sizeof(data->context)); 1251 case 6: 1252 - if (data->flags & NFS_MOUNT_VER3) 1253 mntfh->size = data->root.size; 1254 - else 1255 mntfh->size = NFS2_FHSIZE; 1256 1257 - if (mntfh->size > sizeof(mntfh->data)) 1258 - goto out_invalid_fh; 1259 1260 memcpy(mntfh->data, data->root.data, mntfh->size); 1261 if (mntfh->size < sizeof(mntfh->data))
··· 1249 case 5: 1250 memset(data->context, 0, sizeof(data->context)); 1251 case 6: 1252 + if (data->flags & NFS_MOUNT_VER3) { 1253 + if (data->root.size > NFS3_FHSIZE || data->root.size == 0) 1254 + goto out_invalid_fh; 1255 mntfh->size = data->root.size; 1256 + } else 1257 mntfh->size = NFS2_FHSIZE; 1258 1259 1260 memcpy(mntfh->data, data->root.data, mntfh->size); 1261 if (mntfh->size < sizeof(mntfh->data))