Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 May 2011 01:24:03 +0000 (UTC)
From:      Rick Macklem <rmacklem@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject:   svn commit: r221416 - stable/8/sys/fs/nfsclient
Message-ID:  <201105040124.p441O3fn024825@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: rmacklem
Date: Wed May  4 01:24:03 2011
New Revision: 221416
URL: http://svn.freebsd.org/changeset/base/221416

Log:
  MFC: r220876
  Modify the offset + size checks for read and write in the
  experimental NFS client to take care of overflows. Thanks
  go to dillon at apollo.backplane.com for providing the
  snippet of code that does this.

Modified:
  stable/8/sys/fs/nfsclient/nfs_clrpcops.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/fs/nfsclient/nfs_clrpcops.c
==============================================================================
--- stable/8/sys/fs/nfsclient/nfs_clrpcops.c	Wed May  4 01:07:32 2011	(r221415)
+++ stable/8/sys/fs/nfsclient/nfs_clrpcops.c	Wed May  4 01:24:03 2011	(r221416)
@@ -1285,12 +1285,13 @@ nfsrpc_readrpc(vnode_t vp, struct uio *u
 	struct nfsmount *nmp = VFSTONFS(vnode_mount(vp));
 	struct nfsrv_descript *nd = &nfsd;
 	int rsize;
+	off_t tmp_off;
 
 	*attrflagp = 0;
 	tsiz = uio_uio_resid(uiop);
+	tmp_off = uiop->uio_offset + tsiz;
 	NFSLOCKMNT(nmp);
-	if (uiop->uio_offset + tsiz > nmp->nm_maxfilesize) {
-		/* XXX Needs overflow/negative check for uio_offset */
+	if (tmp_off > nmp->nm_maxfilesize || tmp_off < uiop->uio_offset) {
 		NFSUNLOCKMNT(nmp);
 		return (EFBIG);
 	}
@@ -1458,12 +1459,14 @@ nfsrpc_writerpc(vnode_t vp, struct uio *
 	struct nfsrv_descript nfsd;
 	struct nfsrv_descript *nd = &nfsd;
 	nfsattrbit_t attrbits;
+	off_t tmp_off;
 
 	KASSERT(uiop->uio_iovcnt == 1, ("nfs: writerpc iovcnt > 1"));
 	*attrflagp = 0;
 	tsiz = uio_uio_resid(uiop);
+	tmp_off = uiop->uio_offset + tsiz;
 	NFSLOCKMNT(nmp);
-	if (uiop->uio_offset + tsiz > nmp->nm_maxfilesize) {
+	if (tmp_off > nmp->nm_maxfilesize || tmp_off < uiop->uio_offset) {
 		NFSUNLOCKMNT(nmp);
 		return (EFBIG);
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201105040124.p441O3fn024825>