From owner-svn-src-all@FreeBSD.ORG Wed Apr 20 00:21:52 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46EA1106566B; Wed, 20 Apr 2011 00:21:52 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 355EE8FC14; Wed, 20 Apr 2011 00:21:52 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p3K0LqkY026938; Wed, 20 Apr 2011 00:21:52 GMT (envelope-from rmacklem@svn.freebsd.org) Received: (from rmacklem@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id p3K0LqE1026936; Wed, 20 Apr 2011 00:21:52 GMT (envelope-from rmacklem@svn.freebsd.org) Message-Id: <201104200021.p3K0LqE1026936@svn.freebsd.org> From: Rick Macklem Date: Wed, 20 Apr 2011 00:21:52 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r220876 - head/sys/fs/nfsclient X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2011 00:21:52 -0000 Author: rmacklem Date: Wed Apr 20 00:21:51 2011 New Revision: 220876 URL: http://svn.freebsd.org/changeset/base/220876 Log: Modify the offset + size checks for read and write in the experimental NFS client to take care of overflows. Thanks go to dillon at apollo.backplane.com for providing the snippet of code that does this. MFC after: 2 weeks Modified: head/sys/fs/nfsclient/nfs_clrpcops.c Modified: head/sys/fs/nfsclient/nfs_clrpcops.c ============================================================================== --- head/sys/fs/nfsclient/nfs_clrpcops.c Tue Apr 19 23:33:51 2011 (r220875) +++ head/sys/fs/nfsclient/nfs_clrpcops.c Wed Apr 20 00:21:51 2011 (r220876) @@ -1285,12 +1285,13 @@ nfsrpc_readrpc(vnode_t vp, struct uio *u struct nfsmount *nmp = VFSTONFS(vnode_mount(vp)); struct nfsrv_descript *nd = &nfsd; int rsize; + off_t tmp_off; *attrflagp = 0; tsiz = uio_uio_resid(uiop); + tmp_off = uiop->uio_offset + tsiz; NFSLOCKMNT(nmp); - if (uiop->uio_offset + tsiz > nmp->nm_maxfilesize) { - /* XXX Needs overflow/negative check for uio_offset */ + if (tmp_off > nmp->nm_maxfilesize || tmp_off < uiop->uio_offset) { NFSUNLOCKMNT(nmp); return (EFBIG); } @@ -1458,12 +1459,14 @@ nfsrpc_writerpc(vnode_t vp, struct uio * struct nfsrv_descript nfsd; struct nfsrv_descript *nd = &nfsd; nfsattrbit_t attrbits; + off_t tmp_off; KASSERT(uiop->uio_iovcnt == 1, ("nfs: writerpc iovcnt > 1")); *attrflagp = 0; tsiz = uio_uio_resid(uiop); + tmp_off = uiop->uio_offset + tsiz; NFSLOCKMNT(nmp); - if (uiop->uio_offset + tsiz > nmp->nm_maxfilesize) { + if (tmp_off > nmp->nm_maxfilesize || tmp_off < uiop->uio_offset) { NFSUNLOCKMNT(nmp); return (EFBIG); }