Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow

From: Valdis . Kletnieks
Date: Mon Sep 12 2005 - 15:02:15 EST

Next message: Randy.Dunlap: "Re: Tainted lsmod output"
Previous message: James . Smart: "RE: [PATCH 2.6.13 5/14] sas-class: sas_discover.c Discover process (end devices)"
In reply to: Assar: "Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow"
Next in thread: Assar: "Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 12 Sep 2005 15:37:46 EDT, Assar said:
> Valdis.Kletnieks@xxxxxx writes:
> > Odd, as it has similar code - 2.6.13-mm1 nfs2xdr.c has:
> > /* Convert length of symlink */
> > len = ntohl(*p++);
> > if (len >= rcvbuf->page_len || len <= 0) {
>
> To my reading, the 2.6.13 code does not copy the 4 bytes of length to
> rcvbuf.

Hmm... it still does this:
kaddr[len+rcvbuf->page_base] = '\0';
which still has a possible off-by-one? (Was that why you have -1 -4?)

> > Am I the only one who finds an uncommented "-1 -4" construct scary beyond belief?
>
> Probably not. What do you think looks better? sizeof(u32) ?

sizeof(actual_var) is even better, as that way it's clear what you're allowing
space for.

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Randy.Dunlap: "Re: Tainted lsmod output"
Previous message: James . Smart: "RE: [PATCH 2.6.13 5/14] sas-class: sas_discover.c Discover process (end devices)"
In reply to: Assar: "Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow"
Next in thread: Assar: "Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]