nfsd: more careful input validation in nfsctl write methods Neil Brown points out that we're checking buf[size-1] in a couple places without first checking whether size is zero. Actually, given the implementation of simple_transaction_get(), buf[-1] is zero, so in both of these cases the subsequent check of the value of buf[size-1] will catch this case. But it seems fragile to depend on that, so add explicit checks for this case. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Acked-by: NeilBrown <neilb@suse.de>

commit: 87d26ea7771ad637035e6bd5a2700d81ee9162da [log] [tgz]
author: J. Bruce Fields <bfields@citi.umich.edu> Tue Jan 22 17:40:42 2008 -0500
committer: J. Bruce Fields <bfields@citi.umich.edu> Fri Feb 01 16:42:15 2008 -0500
tree: c1da6cd6fe03bfadb3276bd30423c7d4b105ef41
parent: 50431d94e732ba71b66a83c5435890728e313095 [diff] [blame]
diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index bc22e0b..8516137 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c

@@ -304,6 +304,9 @@
 	struct auth_domain *dom;
 	struct knfsd_fh fh;
 
+	if (size == 0)
+		return -EINVAL;
+
 	if (buf[size-1] != '\n')
 		return -EINVAL;
 	buf[size-1] = 0;
@@ -663,7 +666,7 @@
 	char *recdir;
 	int len, status;
 
-	if (size > PATH_MAX || buf[size-1] != '\n')
+	if (size == 0 || size > PATH_MAX || buf[size-1] != '\n')
 		return -EINVAL;
 	buf[size-1] = 0;
commit	87d26ea7771ad637035e6bd5a2700d81ee9162da	[log] [tgz]
author	J. Bruce Fields <bfields@citi.umich.edu>	Tue Jan 22 17:40:42 2008 -0500
committer	J. Bruce Fields <bfields@citi.umich.edu>	Fri Feb 01 16:42:15 2008 -0500
tree	c1da6cd6fe03bfadb3276bd30423c7d4b105ef41
parent	50431d94e732ba71b66a83c5435890728e313095 [diff] [blame]