Commit:     87d26ea7771ad637035e6bd5a2700d81ee9162da
Parent:     50431d94e732ba71b66a83c5435890728e313095
Author:     J. Bruce Fields <[EMAIL PROTECTED]>
AuthorDate: Tue Jan 22 17:40:42 2008 -0500
Committer:  J. Bruce Fields <[EMAIL PROTECTED]>
CommitDate: Fri Feb 1 16:42:15 2008 -0500

    nfsd: more careful input validation in nfsctl write methods
    Neil Brown points out that we're checking buf[size-1] in a couple places
    without first checking whether size is zero.
    Actually, given the implementation of simple_transaction_get(), buf[-1]
    is zero, so in both of these cases the subsequent check of the value of
    buf[size-1] will catch this case.
    But it seems fragile to depend on that, so add explicit checks for this
    Signed-off-by: J. Bruce Fields <[EMAIL PROTECTED]>
    Acked-by: NeilBrown <[EMAIL PROTECTED]>
 fs/nfsd/nfsctl.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index bc22e0b..8516137 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -304,6 +304,9 @@ static ssize_t write_filehandle(struct file *file, char 
*buf, size_t size)
        struct auth_domain *dom;
        struct knfsd_fh fh;
+       if (size == 0)
+               return -EINVAL;
        if (buf[size-1] != '\n')
                return -EINVAL;
        buf[size-1] = 0;
@@ -663,7 +666,7 @@ static ssize_t write_recoverydir(struct file *file, char 
*buf, size_t size)
        char *recdir;
        int len, status;
-       if (size > PATH_MAX || buf[size-1] != '\n')
+       if (size == 0 || size > PATH_MAX || buf[size-1] != '\n')
                return -EINVAL;
        buf[size-1] = 0;
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to