We must at maximum use all remaining bytes from the packet. This means
we have to set length to the *minimum* of the desired length and the
remaining bytes, not the *maximum*.
/me goes hiding somewhere...
Fixes: 574ce99401 ("fs: nfs: Fix possible buffer overflow")
Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
---
fs/nfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs.c b/fs/nfs.c
index c281a2ba75..1130632eb3 100644
--- a/fs/nfs.c
+++ b/fs/nfs.c
@@ -1125,7 +1125,7 @@ static int nfs_readlink_req(struct nfs_priv *npriv, struct nfs_fh *fh,
len = ntoh32(net_read_uint32(p)); /* new path length */
- len = max_t(unsigned int, len,
+ len = min_t(unsigned int, len,
nfs_packet->len - sizeof(struct rpc_reply) - sizeof(uint32_t));
p++;
--
2.29.2
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
