summaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorNeil Brown <neilb@suse.de>2010-04-20 12:16:52 +1000
committerJ. Bruce Fields <bfields@citi.umich.edu>2010-04-26 15:39:08 -0400
commit2bc3c1179c781b359d4f2f3439cb3df72afc17fc (patch)
tree1ec45ae9721da85fb3807003067dd6be2b73a96d /crypto
parent0d0fb0f9c5fddef4a10242fe3337f00f528a3099 (diff)
downloadlinux-2bc3c1179c781b359d4f2f3439cb3df72afc17fc.tar.bz2
nfsd4: bug in read_buf
When read_buf is called to move over to the next page in the pagelist of an NFSv4 request, it sets argp->end to essentially a random number, certainly not an address within the page which argp->p now points to. So subsequent calls to READ_BUF will think there is much more than a page of spare space (the cast to u32 ensures an unsigned comparison) so we can expect to fall off the end of the second page. We never encountered thsi in testing because typically the only operations which use more than two pages are write-like operations, which have their own decoding logic. Something like a getattr after a write may cross a page boundary, but it would be very unusual for it to cross another boundary after that. Cc: stable@kernel.org Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Diffstat (limited to 'crypto')
0 files changed, 0 insertions, 0 deletions