[PATCH] Protect against NFS requests to create symlinks bigger than one page

Such a request would cause the nul terminator to be written
to some other page, and cause havoc.

Also rearrange two tests to avoid the possibility of testing the byte
just past the end of a buffer - doing so can causes an oops with appropriate
kernel-debug config options

diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
index 2e53ddd8393587bdfa176e08780a45f4287092c7..02798d4b8cd8308a34883b562f8657c904b8cdbc 100644 (file)
--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -446,7 +446,7 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, u32 *p,
         */
        svc_take_page(rqstp);
        len = ntohl(*p++);
-       if (len <= 0 || len > NFS3_MAXPATHLEN)
+       if (len <= 0 || len > NFS3_MAXPATHLEN || len >= PAGE_SIZE)
                return 0;
        args->tname = new = page_address(rqstp->rq_respages[rqstp->rq_resused-1]);
        args->tlen = len;
@@ -454,7 +454,7 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, u32 *p,
        old = (char*)p;
        vec = &rqstp->rq_arg.head[0];
        avail = vec->iov_len - (old - (char*)vec->iov_base);
-       while (len > 0 && *old && avail) {
+       while (len && avail && *old) {
                *new++ = *old++;
                len--;
                avail--;
@@ -465,7 +465,7 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, u32 *p,
                if (avail > PAGE_SIZE) avail = PAGE_SIZE;
                old = page_address(rqstp->rq_arg.pages[0]);
        }
-       while (len > 0 && *old && avail) {
+       while (len && avail && *old) {
                *new++ = *old++;
                len--;
                avail--;