tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'for-3.16' of git://linux-nfs.org/~bfields/linux

Pull nfsd bugfixes from Bruce Fields:
"By coincidence, two NFSv4 symlink bugs, one introduced in the 3.16 xdr
encoding rewrite, the other a decoding bug that I think we've had
since the start but that just doesn't trigger very often"

* 'for-3.16' of git://linux-nfs.org/~bfields/linux:
nfs: fix nfs4d readlink truncated packet
nfsd: fix rare symlink decoding bug

Linus Torvalds 0fba687f b9cd18de

+13 -11
-9
fs/nfsd/nfs4proc.c
··· 617 617 618 618 switch (create->cr_type) { 619 619 case NF4LNK: 620 - /* ugh! we have to null-terminate the linktext, or 621 - * vfs_symlink() will choke. it is always safe to 622 - * null-terminate by brute force, since at worst we 623 - * will overwrite the first byte of the create namelen 624 - * in the XDR buffer, which has already been extracted 625 - * during XDR decode. 626 - */ 627 - create->cr_linkname[create->cr_linklen] = 0; 628 - 629 620 status = nfsd_symlink(rqstp, &cstate->current_fh, 630 621 create->cr_name, create->cr_namelen, 631 622 create->cr_linkname, create->cr_linklen,
+13 -2
fs/nfsd/nfs4xdr.c
··· 600 600 READ_BUF(4); 601 601 create->cr_linklen = be32_to_cpup(p++); 602 602 READ_BUF(create->cr_linklen); 603 - SAVEMEM(create->cr_linkname, create->cr_linklen); 603 + /* 604 + * The VFS will want a null-terminated string, and 605 + * null-terminating in place isn't safe since this might 606 + * end on a page boundary: 607 + */ 608 + create->cr_linkname = 609 + kmalloc(create->cr_linklen + 1, GFP_KERNEL); 610 + if (!create->cr_linkname) 611 + return nfserr_jukebox; 612 + memcpy(create->cr_linkname, p, create->cr_linklen); 613 + create->cr_linkname[create->cr_linklen] = '\0'; 614 + defer_free(argp, kfree, create->cr_linkname); 604 615 break; 605 616 case NF4BLK: 606 617 case NF4CHR: ··· 3278 3267 3279 3268 wire_count = htonl(maxcount); 3280 3269 write_bytes_to_xdr_buf(xdr->buf, length_offset, &wire_count, 4); 3281 - xdr_truncate_encode(xdr, length_offset + 4 + maxcount); 3270 + xdr_truncate_encode(xdr, length_offset + 4 + ALIGN(maxcount, 4)); 3282 3271 if (maxcount & 3) 3283 3272 write_bytes_to_xdr_buf(xdr->buf, length_offset + 4 + maxcount, 3284 3273 &zero, 4 - (maxcount&3));