svn commit: r220876 - head/sys/fs/nfsclient
Rick Macklem
rmacklem at FreeBSD.org
Wed Apr 20 00:21:52 UTC 2011
Author: rmacklem
Date: Wed Apr 20 00:21:51 2011
New Revision: 220876
URL: http://svn.freebsd.org/changeset/base/220876
Log:
Modify the offset + size checks for read and write in the
experimental NFS client to take care of overflows. Thanks
go to dillon at apollo.backplane.com for providing the
snippet of code that does this.
MFC after: 2 weeks
Modified:
head/sys/fs/nfsclient/nfs_clrpcops.c
Modified: head/sys/fs/nfsclient/nfs_clrpcops.c
==============================================================================
--- head/sys/fs/nfsclient/nfs_clrpcops.c Tue Apr 19 23:33:51 2011 (r220875)
+++ head/sys/fs/nfsclient/nfs_clrpcops.c Wed Apr 20 00:21:51 2011 (r220876)
@@ -1285,12 +1285,13 @@ nfsrpc_readrpc(vnode_t vp, struct uio *u
struct nfsmount *nmp = VFSTONFS(vnode_mount(vp));
struct nfsrv_descript *nd = &nfsd;
int rsize;
+ off_t tmp_off;
*attrflagp = 0;
tsiz = uio_uio_resid(uiop);
+ tmp_off = uiop->uio_offset + tsiz;
NFSLOCKMNT(nmp);
- if (uiop->uio_offset + tsiz > nmp->nm_maxfilesize) {
- /* XXX Needs overflow/negative check for uio_offset */
+ if (tmp_off > nmp->nm_maxfilesize || tmp_off < uiop->uio_offset) {
NFSUNLOCKMNT(nmp);
return (EFBIG);
}
@@ -1458,12 +1459,14 @@ nfsrpc_writerpc(vnode_t vp, struct uio *
struct nfsrv_descript nfsd;
struct nfsrv_descript *nd = &nfsd;
nfsattrbit_t attrbits;
+ off_t tmp_off;
KASSERT(uiop->uio_iovcnt == 1, ("nfs: writerpc iovcnt > 1"));
*attrflagp = 0;
tsiz = uio_uio_resid(uiop);
+ tmp_off = uiop->uio_offset + tsiz;
NFSLOCKMNT(nmp);
- if (uiop->uio_offset + tsiz > nmp->nm_maxfilesize) {
+ if (tmp_off > nmp->nm_maxfilesize || tmp_off < uiop->uio_offset) {
NFSUNLOCKMNT(nmp);
return (EFBIG);
}
More information about the svn-src-head
mailing list