NFSD: Full checking of authentication name

Signed-off-by: Kinglong Mee <kinglongmee@gmail.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com>

NFSD: Full checking of authentication name
Signed-off-by: Kinglong Mee <kinglongmee@gmail.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Kinglong Mee · J. Bruce Fields
1 parent 48c348b09c
Showing 1 changed file with 5 additions and 9 deletions Side-by-side Diff
fs/nfsd/nfs4idmap.c
@@ -215,7 +215,8 @@
 	memset(&ent, 0, sizeof(ent));
  
 	/* Authentication name */
-	if (qword_get(&buf, buf1, PAGE_SIZE) <= 0)
+	len = qword_get(&buf, buf1, PAGE_SIZE);
+	if (len <= 0 || len >= IDMAP_NAMESZ)
 		goto out;
 	memcpy(ent.authname, buf1, sizeof(ent.authname));
  
  
@@ -245,12 +246,10 @@
 	/* Name */
 	error = -EINVAL;
 	len = qword_get(&buf, buf1, PAGE_SIZE);
-	if (len < 0)
+	if (len < 0 || len >= IDMAP_NAMESZ)
 		goto out;
 	if (len == 0)
 		set_bit(CACHE_NEGATIVE, &ent.h.flags);
-	else if (len >= IDMAP_NAMESZ)
-		goto out;
 	else
 		memcpy(ent.name, buf1, sizeof(ent.name));
 	error = -ENOMEM;
  
  
@@ -259,15 +258,12 @@
 		goto out;
  
 	cache_put(&res->h, cd);
-
 	error = 0;
 out:
 	kfree(buf1);
-
 	return error;
 }
  
-
 static struct ent *
 idtoname_lookup(struct cache_detail *cd, struct ent *item)
 {
@@ -381,7 +377,8 @@
 	memset(&ent, 0, sizeof(ent));
  
 	/* Authentication name */
-	if (qword_get(&buf, buf1, PAGE_SIZE) <= 0)
+	len = qword_get(&buf, buf1, PAGE_SIZE);
+	if (len <= 0 || len >= IDMAP_NAMESZ)
 		goto out;
 	memcpy(ent.authname, buf1, sizeof(ent.authname));
  
@@ -421,7 +418,6 @@
 	error = 0;
 out:
 	kfree(buf1);
-
 	return (error);
 }
...	...	@@ -215,7 +215,8 @@
215	215	memset(&ent, 0, sizeof(ent));
216	216
217	217	/* Authentication name */
218		- if (qword_get(&buf, buf1, PAGE_SIZE) <= 0)
	218	+ len = qword_get(&buf, buf1, PAGE_SIZE);
	219	+ if (len <= 0 \|\| len >= IDMAP_NAMESZ)
219	220	goto out;
220	221	memcpy(ent.authname, buf1, sizeof(ent.authname));
221	222
222	223
...	...	@@ -245,12 +246,10 @@
245	246	/* Name */
246	247	error = -EINVAL;
247	248	len = qword_get(&buf, buf1, PAGE_SIZE);
248		- if (len < 0)
	249	+ if (len < 0 \|\| len >= IDMAP_NAMESZ)
249	250	goto out;
250	251	if (len == 0)
251	252	set_bit(CACHE_NEGATIVE, &ent.h.flags);
252		- else if (len >= IDMAP_NAMESZ)
253		- goto out;
254	253	else
255	254	memcpy(ent.name, buf1, sizeof(ent.name));
256	255	error = -ENOMEM;
257	256
258	257
...	...	@@ -259,15 +258,12 @@
259	258	goto out;
260	259
261	260	cache_put(&res->h, cd);
262		-
263	261	error = 0;
264	262	out:
265	263	kfree(buf1);
266		-
267	264	return error;
268	265	}
269	266
270		-
271	267	static struct ent *
272	268	idtoname_lookup(struct cache_detail cd, struct ent item)
273	269	{
...	...	@@ -381,7 +377,8 @@
381	377	memset(&ent, 0, sizeof(ent));
382	378
383	379	/* Authentication name */
384		- if (qword_get(&buf, buf1, PAGE_SIZE) <= 0)
	380	+ len = qword_get(&buf, buf1, PAGE_SIZE);
	381	+ if (len <= 0 \|\| len >= IDMAP_NAMESZ)
385	382	goto out;
386	383	memcpy(ent.authname, buf1, sizeof(ent.authname));
387	384
...	...	@@ -421,7 +418,6 @@
421	418	error = 0;
422	419	out:
423	420	kfree(buf1);
424		-
425	421	return (error);
426	422	}
427	423