On Mon, Mar 14, 2022 at 05:42:58PM +0300, Chuck Lever III wrote: > Hi Dan- > > > On Mar 14, 2022, at 10:06 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > > > > This code checks the upper bound of "len" but it needs to check for > > negative values as well. > > It doesn't check because nfsd3_writeargs::len is a __u32, > and the NFSv2 code here was copied from that assuming that > nfsd_writeargs::len had the same signage. This is because... > > https://datatracker.ietf.org/doc/html/rfc1832#section-3.13 says > that the count field in a variable-length array is supposed to > be unsigned. > > Thus IMO nfsd_writeargs::len should be changed to __u32 > instead of adding the extra negativity check. > > If you resend, make sure the format specifier in the dprintk() > at the top of nfsd_proc_write() is adjusted accordingly. Thanks for this tip. It's weird that GCC doesn't complain if you don't make this change to the printk. :/ regards, dan carpenter
