mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-16 15:34:48 +08:00
Fixes:
- Address a buffer overrun reported by Anatoly Trosinenko -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEKLLlsBKG3yQ88j7+M2qzM29mf5cFAmHArD0ACgkQM2qzM29m f5ddQRAAnPQnaLHGzvXkLKP76EMkFWlCPZk4pkNy1LuHRyU3F+D2Pj1qZBJpqFCa gzRh2N1U+zPguwsoKlPuPjHUqqU4D2Wf0DHo9xsU0gvY5B86m4bebJgpK3zXpD3m 37gyM/UMe744D5A2Kh/yyKCEWR+8STh5/a956dCi22Z7qyEhPQDkrbk9yLBsDo9t NIb2rV/tvdvQvjzBd5om4Sm8QAXrdqoChK619b/T3v46shj/OX2Rqneid1deJi0U czrz19g/hzzvaTlrdXmFT0w9qZQ3Md/T2wDtiKtc/XoTF7ZsBHZFOwLhcDRuTXJO UAfXzXkf1WmhrQZOqJqHCuWFf01vdc3++8L01PXyxVupwGYS/uvdy0VNdO/u5hDr ibYjkrMpTKT14Q7iyPU7CCPolWipVpKt3pMwXuusCz8ky8oMQQSmpjdkofXutVnP NNuzx8iqW8N4Vo86Itoau7qEFM0FcxWR0Ut2F0EKiOjiS63Ccg9wxNbu3rJe/Wpb gpb3ICpPgyOaSUI1D0NEEibbRyiOAE+ldiDdpGHyOGgcK672jaD/5NAvD3s18FRp 2V7Xf/vY3Qiggakopk+hEKYNh2aFXkhZmUf+rNNbhEHpgJGQ6HU1rlSw4+SfrdPK vKx/uDuUr5aahnjrZDaLv1sGp4Nq+m3KEjhlQGKSVi25n4xXgtc= =FIJ5 -----END PGP SIGNATURE----- Merge tag 'nfsd-5.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux Pull nfsd fix from Chuck Lever: "Address a buffer overrun reported by Anatoly Trosinenko" * tag 'nfsd-5.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: NFSD: Fix READDIR buffer overflow
This commit is contained in:
commit
5dbdc4c565
@ -438,22 +438,19 @@ nfsd3_proc_link(struct svc_rqst *rqstp)
|
||||
|
||||
static void nfsd3_init_dirlist_pages(struct svc_rqst *rqstp,
|
||||
struct nfsd3_readdirres *resp,
|
||||
int count)
|
||||
u32 count)
|
||||
{
|
||||
struct xdr_buf *buf = &resp->dirlist;
|
||||
struct xdr_stream *xdr = &resp->xdr;
|
||||
|
||||
count = min_t(u32, count, svc_max_payload(rqstp));
|
||||
count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));
|
||||
|
||||
memset(buf, 0, sizeof(*buf));
|
||||
|
||||
/* Reserve room for the NULL ptr & eof flag (-2 words) */
|
||||
buf->buflen = count - XDR_UNIT * 2;
|
||||
buf->pages = rqstp->rq_next_page;
|
||||
while (count > 0) {
|
||||
rqstp->rq_next_page++;
|
||||
count -= PAGE_SIZE;
|
||||
}
|
||||
rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;
|
||||
|
||||
/* This is xdr_init_encode(), but it assumes that
|
||||
* the head kvec has already been consumed. */
|
||||
@ -462,7 +459,7 @@ static void nfsd3_init_dirlist_pages(struct svc_rqst *rqstp,
|
||||
xdr->page_ptr = buf->pages;
|
||||
xdr->iov = NULL;
|
||||
xdr->p = page_address(*buf->pages);
|
||||
xdr->end = xdr->p + (PAGE_SIZE >> 2);
|
||||
xdr->end = (void *)xdr->p + min_t(u32, buf->buflen, PAGE_SIZE);
|
||||
xdr->rqst = NULL;
|
||||
}
|
||||
|
||||
|
@ -556,17 +556,17 @@ nfsd_proc_rmdir(struct svc_rqst *rqstp)
|
||||
|
||||
static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp,
|
||||
struct nfsd_readdirres *resp,
|
||||
int count)
|
||||
u32 count)
|
||||
{
|
||||
struct xdr_buf *buf = &resp->dirlist;
|
||||
struct xdr_stream *xdr = &resp->xdr;
|
||||
|
||||
count = min_t(u32, count, PAGE_SIZE);
|
||||
count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));
|
||||
|
||||
memset(buf, 0, sizeof(*buf));
|
||||
|
||||
/* Reserve room for the NULL ptr & eof flag (-2 words) */
|
||||
buf->buflen = count - sizeof(__be32) * 2;
|
||||
buf->buflen = count - XDR_UNIT * 2;
|
||||
buf->pages = rqstp->rq_next_page;
|
||||
rqstp->rq_next_page++;
|
||||
|
||||
@ -577,7 +577,7 @@ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp,
|
||||
xdr->page_ptr = buf->pages;
|
||||
xdr->iov = NULL;
|
||||
xdr->p = page_address(*buf->pages);
|
||||
xdr->end = xdr->p + (PAGE_SIZE >> 2);
|
||||
xdr->end = (void *)xdr->p + min_t(u32, buf->buflen, PAGE_SIZE);
|
||||
xdr->rqst = NULL;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user