[PATCH] knfsd: Fix some minor sign problems in nfsd/xdr

There are a couple of tests which could possibly be confused by extremely large numbers appearing in 'xdr' packets. I think the closest to an exploit you could get would be writing random data from a free page into a file - i.e. leak data out of kernel space. I'm fairly sure they cannot be used for remote compromise. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
author: NeilBrown <neilb@cse.unsw.edu.au> 2005-11-07 01:00:26 -0800
committer: Linus Torvalds <torvalds@g5.osdl.org> 2005-11-07 07:53:48 -0800
commit: 0ba7536d5d47e4ecf2259a80b207158dc4e711eb (patch)
tree: 0e8528e65f25b9992cfad43e74018a0986f46c38 /fs/nfsd/nfs3xdr.c
parent: 70c3b76c28b012452d63bb27f6d0517afb05d86f (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
index e0e134d6bab..9147b8524d0 100644
--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -366,7 +366,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, u32 *p,
 	len = args->len = ntohl(*p++);
 
 	hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
-	if (rqstp->rq_arg.len < len + hdr)
+	if (rqstp->rq_arg.len < hdr ||
+	    rqstp->rq_arg.len - hdr < len)
 		return 0;
 
 	args->vec[0].iov_base = (void*)p;
author	NeilBrown <neilb@cse.unsw.edu.au>	2005-11-07 01:00:26 -0800
committer	Linus Torvalds <torvalds@g5.osdl.org>	2005-11-07 07:53:48 -0800
commit	0ba7536d5d47e4ecf2259a80b207158dc4e711eb (patch)
tree	0e8528e65f25b9992cfad43e74018a0986f46c38 /fs/nfsd/nfs3xdr.c
parent	70c3b76c28b012452d63bb27f6d0517afb05d86f (diff)