Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow
From: Valdis . Kletnieks
Date: Mon Sep 12 2005 - 15:54:23 EST
On Mon, 12 Sep 2005 16:41:19 EDT, Assar said:
> Valdis.Kletnieks@xxxxxx writes:
> > > To my reading, the 2.6.13 code does not copy the 4 bytes of length to
> > > rcvbuf.
> >
> > Hmm... it still does this:
> > kaddr[len+rcvbuf->page_base] = '\0';
> > which still has a possible off-by-one? (Was that why you have -1 -4?)
>
> The check is different. 2.6.13 is using ">=" instead of ">", so hence
> I think that's fine.
Argh. Where's my reading glasses? ;) Yes, a >= check works there....
> + if (len > rcvbuf->page_len - sizeof(*strlen) - 1)
> + len = rcvbuf->page_len - sizeof(*strlen) - 1;
OK, looks saner to me, but Trond and Marcelo probably get to make the final decision ;)
Attachment:
pgp00000.pgp
Description: PGP signature