Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932576AbVINURv (ORCPT ); Wed, 14 Sep 2005 16:17:51 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S932710AbVINURv (ORCPT ); Wed, 14 Sep 2005 16:17:51 -0400 Received: from mx1.redhat.com ([66.187.233.31]:59854 "EHLO mx1.redhat.com") by vger.kernel.org with ESMTP id S932576AbVINURu (ORCPT ); Wed, 14 Sep 2005 16:17:50 -0400 Message-ID: <432883E5.6000004@redhat.com> Date: Wed, 14 Sep 2005 16:11:17 -0400 From: Peter Staubach User-Agent: Mozilla Thunderbird (X11/20050322) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Assar CC: Marcelo Tosatti , Trond Myklebust , Valdis.Kletnieks@vt.edu, linux-kernel@vger.kernel.org Subject: Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow References: <78irx6wh6j.fsf@sober-counsel.permabit.com> <200509121846.j8CIk5YE025124@turing-police.cc.vt.edu> <784q8qrsad.fsf@sober-counsel.permabit.com> <200509122001.j8CK1kpW028651@turing-police.cc.vt.edu> <788xy2qas0.fsf@sober-counsel.permabit.com> <20050913183948.GE14889@dmt.cnet> <784q8okdfn.fsf@sober-counsel.permabit.com> <20050913193539.GB17222@dmt.cnet> <784q8oivp4.fsf@sober-counsel.permabit.com> <43287221.8020602@redhat.com> <7864t3h1xw.fsf@sober-counsel.permabit.com> In-Reply-To: <7864t3h1xw.fsf@sober-counsel.permabit.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1214 Lines: 36 Assar wrote: >>The 2.6 kernel code is also broken, but in a different, but once again, >>similar fashions. >> >> > >You mean for length > 1024 ? > >diff -u linux-2.6.13.orig/fs/nfs/nfs2xdr.c linux-2.6.13/fs/nfs/nfs2xdr.c >--- linux-2.6.13.orig/fs/nfs/nfs2xdr.c 2005-08-28 19:41:01.000000000 -0400 >+++ linux-2.6.13/fs/nfs/nfs2xdr.c 2005-09-14 15:40:13.000000000 -0400 >@@ -557,7 +557,7 @@ > return -nfs_stat_to_errno(status); > /* Convert length of symlink */ > len = ntohl(*p++); >- if (len >= rcvbuf->page_len || len <= 0) { >+ if (len >= rcvbuf->page_len || len <= 0 || len > NFS2_MAXPATHLEN) { > dprintk(KERN_WARNING "nfs: server returned giant symlink!\n"); > return -ENAMETOOLONG; > } > This code appears to assume that rcvbuf->page_base is zero here, but then uses rcvbuf->page_base when calculating where to place the null byte. It seems to me that it should either use rcvbuf->page_base in both calculations or neither. Thanx... ps - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/