On Tue, 08 Mar 2011 22:32:26 +0100 roel <roel.kluin@xxxxxxxxx> wrote: > Index i was already used in the outer loop > > Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx> > --- > fs/nfsd/nfs4xdr.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > Not 100% sure this one is needed but it looks suspicious. > > diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c > index 1275b86..615f0a9 100644 > --- a/fs/nfsd/nfs4xdr.c > +++ b/fs/nfsd/nfs4xdr.c > @@ -1142,7 +1142,7 @@ nfsd4_decode_create_session(struct nfsd4_compoundargs *argp, > > u32 dummy; > char *machine_name; > - int i; > + int i, j; > int nr_secflavs; > > READ_BUF(16); > @@ -1215,7 +1215,7 @@ nfsd4_decode_create_session(struct nfsd4_compoundargs *argp, > READ_BUF(4); > READ32(dummy); > READ_BUF(dummy * 4); > - for (i = 0; i < dummy; ++i) > + for (j = 0; j < dummy; ++j) > READ32(dummy); > break; > case RPC_AUTH_GSS: ooh, big bug. I wonder why it was not previously detected at runtime. Perhaps nr_secflavs is always 1. afacit this bug will allow a well-crafted packet to cause an infinite-until-it-oopses loop in the kernel. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
