Patchwork [BUG:999,v2] nfs: avoid assignment of structure pointer into serialized buffer

login
register
Submitter Anand Avati
Date 2010-10-12 07:55:46
Message ID <20101012075546.GA7660@dev.gluster.com>
Download mbox | patch
Permalink /patch/5466/
State Accepted
Headers show

Comments

Anand Avati - 2010-10-12 07:55:46
With the introduction of variable sized file handle feature in NFS,
on-wire lengths of file handles can be lesser than file handle structure
of code. Direct pointer assignment into the offsetted buffer and
dereference and result in reads beyond the end of buffer and crashes.

Signed-off-by: Anand V. Avati <avati@blackhole.gluster.com>
---
 xlators/nfs/server/src/nfs3.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

Patch

diff --git a/xlators/nfs/server/src/nfs3.c b/xlators/nfs/server/src/nfs3.c
index a81676d..fe265ed 100644
--- a/xlators/nfs/server/src/nfs3.c
+++ b/xlators/nfs/server/src/nfs3.c
@@ -2096,6 +2096,7 @@  nfs3svc_write_vec (rpcsvc_request_t *req, struct iobuf *iob)
         write3args              *args = NULL;
         int                     ret = RPCSVC_ACTOR_ERROR;
         struct iovec            payload = {0, };
+        struct nfs3_fh          fh = {{0}, };
 
         if ((!req) || (!iob))
                 return ret;
@@ -2103,8 +2104,9 @@  nfs3svc_write_vec (rpcsvc_request_t *req, struct iobuf *iob)
         args = nfs_rpcsvc_request_private (req);
         iobuf_to_iovec (iob, &payload);
         iobuf_ref (iob);
-        ret = nfs3_write (req, (struct nfs3_fh *)args->file.data.data_val,
-                          args->offset, args->count, args->stable, payload,iob);
+        memcpy (&fh, args->file.data.data_val, args->file.data.data_len);
+        ret = nfs3_write (req, &fh, args->offset, args->count, args->stable,
+                          payload,iob);
         xdr_free_write3args_nocopy (args);
         GF_FREE (args);
         if (ret < 0) {