[stable] [52/87] NFS: Fix a decoding problem in nfs3_decode_dirent

Mon, 21 Mar 2011 17:03:54 -0700 

2.6.37-stable review patch.  If anyone has any objections, please let us know.

------------------

[This needs to be applied to 2.6.37 only. The bug in question was
inadvertently fixed by a series of cleanups in 2.6.38, but the patches
in question are too large to be backported. This patch is a minimal fix
that serves the same purpose.]

When we decode a filename followed by an 8-byte cookie, we need to
consider the fact that the filename and cookie are 32-bit word aligned.
Presently, we may end up copying insufficient amounts of data when
xdr_inline_decode() needs to invoke xdr_copy_to_scratch to deal
with a page boundary.

The following patch fixes the issue by first decoding the filename, and
then decoding the cookie.

Reported-by: Neil Brown <[email protected]>
Signed-off-by: Trond Myklebust <[email protected]>
Reviewed-by: NeilBrown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 fs/nfs/nfs2xdr.c |    6 ++++--
 fs/nfs/nfs3xdr.c |    6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

--- a/fs/nfs/nfs2xdr.c
+++ b/fs/nfs/nfs2xdr.c
@@ -477,11 +477,13 @@ nfs_decode_dirent(struct xdr_stream *xdr
        entry->ino        = ntohl(*p++);
        entry->len        = ntohl(*p++);
 
-       p = xdr_inline_decode(xdr, entry->len + 4);
+       p = xdr_inline_decode(xdr, entry->len);
        if (unlikely(!p))
                goto out_overflow;
        entry->name       = (const char *) p;
-       p                += XDR_QUADLEN(entry->len);
+       p = xdr_inline_decode(xdr, 4);
+       if (unlikely(!p))
+               goto out_overflow;
        entry->prev_cookie        = entry->cookie;
        entry->cookie     = ntohl(*p++);
 
--- a/fs/nfs/nfs3xdr.c
+++ b/fs/nfs/nfs3xdr.c
@@ -614,11 +614,13 @@ nfs3_decode_dirent(struct xdr_stream *xd
        p = xdr_decode_hyper(p, &entry->ino);
        entry->len  = ntohl(*p++);
 
-       p = xdr_inline_decode(xdr, entry->len + 8);
+       p = xdr_inline_decode(xdr, entry->len);
        if (unlikely(!p))
                goto out_overflow;
        entry->name = (const char *) p;
-       p += XDR_QUADLEN(entry->len);
+       p = xdr_inline_decode(xdr, 8);
+       if (unlikely(!p))
+               goto out_overflow;
        entry->prev_cookie = entry->cookie;
        p = xdr_decode_hyper(p, &entry->cookie);
 


_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to