Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow

On Mon, 12 Sep 2005 15:37:46 EDT, Assar said:
> [email protected] writes:
> > Odd, as it has similar code - 2.6.13-mm1 nfs2xdr.c has:
> >         /* Convert length of symlink */
> >         len = ntohl(*p++);
> >         if (len >= rcvbuf->page_len || len <= 0) {
> 
> To my reading, the 2.6.13 code does not copy the 4 bytes of length to
> rcvbuf.

Hmm... it still does this:
	kaddr[len+rcvbuf->page_base] = '\0';
which still has a possible off-by-one? (Was that why you have -1 -4?)

> > Am I the only one who finds an uncommented "-1 -4" construct scary beyond belief?
> 
> Probably not.  What do you think looks better?  sizeof(u32) ?

sizeof(actual_var) is even better, as that way it's clear what you're allowing
space for.

Attachment: pgpmcZ4vpHlUH.pgp
Description: PGP signature

Follow-Ups:
- Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow
  - From: Assar <[email protected]>

References:
- [PATCH] nfs client, kernel 2.4.31: readlink result overflow
  - From: Assar <[email protected]>
- Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow
  - From: [email protected]
- Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow
  - From: Assar <[email protected]>

Prev by Date: RE: [PATCH 2.6.13 5/14] sas-class: sas_discover.c Discover process (end devices)
Next by Date: Re: Tainted lsmod output
Previous by thread: Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow
Next by thread: Re: [PATCH] nfs client, kernel 2.4.31: readlink result overflow
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind]