Merge branch 'for-3.16' of git://linux-nfs.org/~bfields/linux
Pull nfsd bugfixes from Bruce Fields: "By coincidence, two NFSv4 symlink bugs, one introduced in the 3.16 xdr encoding rewrite, the other a decoding bug that I think we've had since the start but that just doesn't trigger very often" * 'for-3.16' of git://linux-nfs.org/~bfields/linux: nfs: fix nfs4d readlink truncated packet nfsd: fix rare symlink decoding bug
This commit is contained in:
commit
0fba687f9b
@ -617,15 +617,6 @@ nfsd4_create(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
|
|||||||
|
|
||||||
switch (create->cr_type) {
|
switch (create->cr_type) {
|
||||||
case NF4LNK:
|
case NF4LNK:
|
||||||
/* ugh! we have to null-terminate the linktext, or
|
|
||||||
* vfs_symlink() will choke. it is always safe to
|
|
||||||
* null-terminate by brute force, since at worst we
|
|
||||||
* will overwrite the first byte of the create namelen
|
|
||||||
* in the XDR buffer, which has already been extracted
|
|
||||||
* during XDR decode.
|
|
||||||
*/
|
|
||||||
create->cr_linkname[create->cr_linklen] = 0;
|
|
||||||
|
|
||||||
status = nfsd_symlink(rqstp, &cstate->current_fh,
|
status = nfsd_symlink(rqstp, &cstate->current_fh,
|
||||||
create->cr_name, create->cr_namelen,
|
create->cr_name, create->cr_namelen,
|
||||||
create->cr_linkname, create->cr_linklen,
|
create->cr_linkname, create->cr_linklen,
|
||||||
|
@ -600,7 +600,18 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, struct nfsd4_create *create
|
|||||||
READ_BUF(4);
|
READ_BUF(4);
|
||||||
create->cr_linklen = be32_to_cpup(p++);
|
create->cr_linklen = be32_to_cpup(p++);
|
||||||
READ_BUF(create->cr_linklen);
|
READ_BUF(create->cr_linklen);
|
||||||
SAVEMEM(create->cr_linkname, create->cr_linklen);
|
/*
|
||||||
|
* The VFS will want a null-terminated string, and
|
||||||
|
* null-terminating in place isn't safe since this might
|
||||||
|
* end on a page boundary:
|
||||||
|
*/
|
||||||
|
create->cr_linkname =
|
||||||
|
kmalloc(create->cr_linklen + 1, GFP_KERNEL);
|
||||||
|
if (!create->cr_linkname)
|
||||||
|
return nfserr_jukebox;
|
||||||
|
memcpy(create->cr_linkname, p, create->cr_linklen);
|
||||||
|
create->cr_linkname[create->cr_linklen] = '\0';
|
||||||
|
defer_free(argp, kfree, create->cr_linkname);
|
||||||
break;
|
break;
|
||||||
case NF4BLK:
|
case NF4BLK:
|
||||||
case NF4CHR:
|
case NF4CHR:
|
||||||
@ -3267,7 +3278,7 @@ nfsd4_encode_readlink(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd
|
|||||||
|
|
||||||
wire_count = htonl(maxcount);
|
wire_count = htonl(maxcount);
|
||||||
write_bytes_to_xdr_buf(xdr->buf, length_offset, &wire_count, 4);
|
write_bytes_to_xdr_buf(xdr->buf, length_offset, &wire_count, 4);
|
||||||
xdr_truncate_encode(xdr, length_offset + 4 + maxcount);
|
xdr_truncate_encode(xdr, length_offset + 4 + ALIGN(maxcount, 4));
|
||||||
if (maxcount & 3)
|
if (maxcount & 3)
|
||||||
write_bytes_to_xdr_buf(xdr->buf, length_offset + 4 + maxcount,
|
write_bytes_to_xdr_buf(xdr->buf, length_offset + 4 + maxcount,
|
||||||
&zero, 4 - (maxcount&3));
|
&zero, 4 - (maxcount&3));
|
||||||
|
Loading…
x
Reference in New Issue
Block a user