If len == 29, r_addr[len] = '\0' will overrun r_addr.
Signed-off-by: Benny Halevy <bhalevy@xxxxxxxxxxx>
---
fs/nfs/nfs4filelayoutdev.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
index 8e9d04a..3d84fef 100644
--- a/fs/nfs/nfs4filelayoutdev.c
+++ b/fs/nfs/nfs4filelayoutdev.c
@@ -332,7 +332,7 @@ decode_and_add_ds(uint32_t **pp, struct inode *inode)
tmp[0] = be32_to_cpup(p++);
len = be32_to_cpup(p++);
- if (len > 29) {
+ if (len >= sizeof(r_addr)) {
printk("%s: ERROR: Device ip/port too long (%d)\n",
__func__, len);
goto out_err;
--
1.6.6.1
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
