Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge branch 'for-3.16' of git://linux-nfs.org/~bfields/linux

Pull nfsd bugfixes from Bruce Fields:
 "By coincidence, two NFSv4 symlink bugs, one introduced in the 3.16 xdr
  encoding rewrite, the other a decoding bug that I think we've had
  since the start but that just doesn't trigger very often"

* 'for-3.16' of git://linux-nfs.org/~bfields/linux:
  nfs: fix nfs4d readlink truncated packet
  nfsd: fix rare symlink decoding bug
Linus Torvalds 11 years ago
parent
b9cd18de4d 69bbd9c7b9
commit
0fba687f9b
2 changed files with 13 additions and 11 deletions
Split View Show Diff Stats
  1. 0 9
      fs/nfsd/nfs4proc.c
  2. 13 2
      fs/nfsd/nfs4xdr.c

+ 0 - 9
fs/nfsd/nfs4proc.c
View File 

@@ -617,15 +617,6 @@ nfsd4_create(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 
 
 	switch (create->cr_type) {
 
 	case NF4LNK:
 
-		/* ugh! we have to null-terminate the linktext, or
 
-		 * vfs_symlink() will choke.  it is always safe to
 
-		 * null-terminate by brute force, since at worst we
 
-		 * will overwrite the first byte of the create namelen
 
-		 * in the XDR buffer, which has already been extracted
 
-		 * during XDR decode.
 
-		 */
 
-		create->cr_linkname[create->cr_linklen] = 0;
 
-
 
 		status = nfsd_symlink(rqstp, &cstate->current_fh,
 
 				      create->cr_name, create->cr_namelen,
 
 				      create->cr_linkname, create->cr_linklen,

+ 13 - 2
fs/nfsd/nfs4xdr.c
View File 

@@ -600,7 +600,18 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, struct nfsd4_create *create
 
 		READ_BUF(4);
 
 		create->cr_linklen = be32_to_cpup(p++);
 
 		READ_BUF(create->cr_linklen);
 
-		SAVEMEM(create->cr_linkname, create->cr_linklen);
 
+		/*
 
+		 * The VFS will want a null-terminated string, and
 
+		 * null-terminating in place isn't safe since this might
 
+		 * end on a page boundary:
 
+		 */
 
+		create->cr_linkname =
 
+				kmalloc(create->cr_linklen + 1, GFP_KERNEL);
 
+		if (!create->cr_linkname)
 
+			return nfserr_jukebox;
 
+		memcpy(create->cr_linkname, p, create->cr_linklen);
 
+		create->cr_linkname[create->cr_linklen] = '\0';
 
+		defer_free(argp, kfree, create->cr_linkname);
 
 		break;
 
 	case NF4BLK:
 
 	case NF4CHR:
 
@@ -3267,7 +3278,7 @@ nfsd4_encode_readlink(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd
 
 
 	wire_count = htonl(maxcount);
 
 	write_bytes_to_xdr_buf(xdr->buf, length_offset, &wire_count, 4);
 
-	xdr_truncate_encode(xdr, length_offset + 4 + maxcount);
 
+	xdr_truncate_encode(xdr, length_offset + 4 + ALIGN(maxcount, 4));
 
 	if (maxcount & 3)
 
 		write_bytes_to_xdr_buf(xdr->buf, length_offset + 4 + maxcount,
 
 						&zero, 4 - (maxcount&3));