mirror of
https://github.com/torvalds/linux.git
synced 2024-11-24 21:21:41 +00:00
nfsd: enforce upper limit for namelen in __cld_pipe_inprogress_downcall()
This patch is intended to go on top of "nfsd: return -EINVAL when namelen is 0" from Li Lingfeng. Li's patch checks for 0, but we should be enforcing an upper bound as well. Note that if nfsdcld somehow gets an id > NFS4_OPAQUE_LIMIT in its database, it'll truncate it to NFS4_OPAQUE_LIMIT when it does the downcall anyway. Signed-off-by: Scott Mayhew <smayhew@redhat.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
This commit is contained in:
parent
22451a16b7
commit
5559c157b7
@ -809,8 +809,8 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
|
||||
ci = &cmsg->cm_u.cm_clntinfo;
|
||||
if (get_user(namelen, &ci->cc_name.cn_len))
|
||||
return -EFAULT;
|
||||
if (!namelen) {
|
||||
dprintk("%s: namelen should not be zero", __func__);
|
||||
if (namelen == 0 || namelen > NFS4_OPAQUE_LIMIT) {
|
||||
dprintk("%s: invalid namelen (%u)", __func__, namelen);
|
||||
return -EINVAL;
|
||||
}
|
||||
name.data = memdup_user(&ci->cc_name.cn_id, namelen);
|
||||
@ -835,8 +835,8 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
|
||||
cnm = &cmsg->cm_u.cm_name;
|
||||
if (get_user(namelen, &cnm->cn_len))
|
||||
return -EFAULT;
|
||||
if (!namelen) {
|
||||
dprintk("%s: namelen should not be zero", __func__);
|
||||
if (namelen == 0 || namelen > NFS4_OPAQUE_LIMIT) {
|
||||
dprintk("%s: invalid namelen (%u)", __func__, namelen);
|
||||
return -EINVAL;
|
||||
}
|
||||
name.data = memdup_user(&cnm->cn_id, namelen);
|
||||
|
Loading…
Reference in New Issue
Block a user