From owner-svn-src-stable@FreeBSD.ORG  Wed May  4 01:24:03 2011
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A6779106564A;
	Wed,  4 May 2011 01:24:03 +0000 (UTC)
	(envelope-from rmacklem@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 7A6AD8FC0A;
	Wed,  4 May 2011 01:24:03 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p441O3pJ024827;
	Wed, 4 May 2011 01:24:03 GMT (envelope-from rmacklem@svn.freebsd.org)
Received: (from rmacklem@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id p441O3fn024825;
	Wed, 4 May 2011 01:24:03 GMT (envelope-from rmacklem@svn.freebsd.org)
Message-Id: <201105040124.p441O3fn024825@svn.freebsd.org>
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Wed, 4 May 2011 01:24:03 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r221416 - stable/8/sys/fs/nfsclient
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2011 01:24:03 -0000

Author: rmacklem
Date: Wed May  4 01:24:03 2011
New Revision: 221416
URL: http://svn.freebsd.org/changeset/base/221416

Log:
  MFC: r220876
  Modify the offset + size checks for read and write in the
  experimental NFS client to take care of overflows. Thanks
  go to dillon at apollo.backplane.com for providing the
  snippet of code that does this.

Modified:
  stable/8/sys/fs/nfsclient/nfs_clrpcops.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/fs/nfsclient/nfs_clrpcops.c
==============================================================================
--- stable/8/sys/fs/nfsclient/nfs_clrpcops.c	Wed May  4 01:07:32 2011	(r221415)
+++ stable/8/sys/fs/nfsclient/nfs_clrpcops.c	Wed May  4 01:24:03 2011	(r221416)
@@ -1285,12 +1285,13 @@ nfsrpc_readrpc(vnode_t vp, struct uio *u
 	struct nfsmount *nmp = VFSTONFS(vnode_mount(vp));
 	struct nfsrv_descript *nd = &nfsd;
 	int rsize;
+	off_t tmp_off;
 
 	*attrflagp = 0;
 	tsiz = uio_uio_resid(uiop);
+	tmp_off = uiop->uio_offset + tsiz;
 	NFSLOCKMNT(nmp);
-	if (uiop->uio_offset + tsiz > nmp->nm_maxfilesize) {
-		/* XXX Needs overflow/negative check for uio_offset */
+	if (tmp_off > nmp->nm_maxfilesize || tmp_off < uiop->uio_offset) {
 		NFSUNLOCKMNT(nmp);
 		return (EFBIG);
 	}
@@ -1458,12 +1459,14 @@ nfsrpc_writerpc(vnode_t vp, struct uio *
 	struct nfsrv_descript nfsd;
 	struct nfsrv_descript *nd = &nfsd;
 	nfsattrbit_t attrbits;
+	off_t tmp_off;
 
 	KASSERT(uiop->uio_iovcnt == 1, ("nfs: writerpc iovcnt > 1"));
 	*attrflagp = 0;
 	tsiz = uio_uio_resid(uiop);
+	tmp_off = uiop->uio_offset + tsiz;
 	NFSLOCKMNT(nmp);
-	if (uiop->uio_offset + tsiz > nmp->nm_maxfilesize) {
+	if (tmp_off > nmp->nm_maxfilesize || tmp_off < uiop->uio_offset) {
 		NFSUNLOCKMNT(nmp);
 		return (EFBIG);
 	}