Commit 13c82e8eb515ea84de4e3a1a097137bd3d5c2cc5
Committed by
J. Bruce Fields
1 parent
48c348b09c
NFSD: Full checking of authentication name
Signed-off-by: Kinglong Mee <kinglongmee@gmail.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Showing 1 changed file with 5 additions and 9 deletions Side-by-side Diff
fs/nfsd/nfs4idmap.c
... | ... | @@ -215,7 +215,8 @@ |
215 | 215 | memset(&ent, 0, sizeof(ent)); |
216 | 216 | |
217 | 217 | /* Authentication name */ |
218 | - if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) | |
218 | + len = qword_get(&buf, buf1, PAGE_SIZE); | |
219 | + if (len <= 0 || len >= IDMAP_NAMESZ) | |
219 | 220 | goto out; |
220 | 221 | memcpy(ent.authname, buf1, sizeof(ent.authname)); |
221 | 222 | |
222 | 223 | |
... | ... | @@ -245,12 +246,10 @@ |
245 | 246 | /* Name */ |
246 | 247 | error = -EINVAL; |
247 | 248 | len = qword_get(&buf, buf1, PAGE_SIZE); |
248 | - if (len < 0) | |
249 | + if (len < 0 || len >= IDMAP_NAMESZ) | |
249 | 250 | goto out; |
250 | 251 | if (len == 0) |
251 | 252 | set_bit(CACHE_NEGATIVE, &ent.h.flags); |
252 | - else if (len >= IDMAP_NAMESZ) | |
253 | - goto out; | |
254 | 253 | else |
255 | 254 | memcpy(ent.name, buf1, sizeof(ent.name)); |
256 | 255 | error = -ENOMEM; |
257 | 256 | |
258 | 257 | |
... | ... | @@ -259,15 +258,12 @@ |
259 | 258 | goto out; |
260 | 259 | |
261 | 260 | cache_put(&res->h, cd); |
262 | - | |
263 | 261 | error = 0; |
264 | 262 | out: |
265 | 263 | kfree(buf1); |
266 | - | |
267 | 264 | return error; |
268 | 265 | } |
269 | 266 | |
270 | - | |
271 | 267 | static struct ent * |
272 | 268 | idtoname_lookup(struct cache_detail *cd, struct ent *item) |
273 | 269 | { |
... | ... | @@ -381,7 +377,8 @@ |
381 | 377 | memset(&ent, 0, sizeof(ent)); |
382 | 378 | |
383 | 379 | /* Authentication name */ |
384 | - if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) | |
380 | + len = qword_get(&buf, buf1, PAGE_SIZE); | |
381 | + if (len <= 0 || len >= IDMAP_NAMESZ) | |
385 | 382 | goto out; |
386 | 383 | memcpy(ent.authname, buf1, sizeof(ent.authname)); |
387 | 384 | |
... | ... | @@ -421,7 +418,6 @@ |
421 | 418 | error = 0; |
422 | 419 | out: |
423 | 420 | kfree(buf1); |
424 | - | |
425 | 421 | return (error); |
426 | 422 | } |
427 | 423 |