Skip to content

Commit

Permalink
nfsd: more careful input validation in nfsctl write methods
Browse files Browse the repository at this point in the history
Neil Brown points out that we're checking buf[size-1] in a couple places
without first checking whether size is zero.

Actually, given the implementation of simple_transaction_get(), buf[-1]
is zero, so in both of these cases the subsequent check of the value of
buf[size-1] will catch this case.

But it seems fragile to depend on that, so add explicit checks for this
case.

Signed-off-by: J. Bruce Fields <[email protected]>
Acked-by: NeilBrown <[email protected]>
  • Loading branch information
J. Bruce Fields committed Feb 1, 2008
1 parent 50431d9 commit 87d26ea
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion fs/nfsd/nfsctl.c
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,9 @@ static ssize_t write_filehandle(struct file *file, char *buf, size_t size)
struct auth_domain *dom;
struct knfsd_fh fh;

if (size == 0)
return -EINVAL;

if (buf[size-1] != '\n')
return -EINVAL;
buf[size-1] = 0;
Expand Down Expand Up @@ -663,7 +666,7 @@ static ssize_t write_recoverydir(struct file *file, char *buf, size_t size)
char *recdir;
int len, status;

if (size > PATH_MAX || buf[size-1] != '\n')
if (size == 0 || size > PATH_MAX || buf[size-1] != '\n')
return -EINVAL;
buf[size-1] = 0;

Expand Down

0 comments on commit 87d26ea

Please sign in to comment.