On Wed, 23 Jun 2010, Serge E. Hallyn wrote: > > + status = res.xattr_val_len; > > + if (status <= size) > > res.xattr_val_len was set to size, as was status, and none of the > 3 has been changed, so here status can't be > size can it? res is part of msg, and is updated by the RPC layer when decoding the response (via xdr_decode_string_inplace()). > Was this just a safety to prevent overrun, or did you mean to > do some other check? (If a safety, then you'll still return > status > size, but with garbage in value, so i think you'd want > to also change status) > > > + memcpy(value, res.xattr_val, status); > Yes, the check stops us from copying more than the max. expected size to 'value'. It looks like we do need to return -EINVAL if the check fails, and likely the same with listxattr(). (Or is there a better error code for reporting invalid messages from the peer?) - James -- James Morris <jmorris@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html