summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnand Avati <avati@gluster.com>2010-10-12 02:25:46 +0000
committerVijay Bellur <vijay@dev.gluster.com>2010-10-12 01:39:41 -0700
commited4975b13db3220d461b8ea2a764efd6572e156a (patch)
tree3b08b1ee326d6394f15224a42225bd80373ec9a3
parent48672d26a01f3ce443479b19820e2822a6c650f6 (diff)
nfs: avoid assignment of structure pointer into serialized buffer
With the introduction of variable sized file handle feature in NFS, on-wire lengths of file handles can be lesser than file handle structure of code. Direct pointer assignment into the offsetted buffer and dereference and result in reads beyond the end of buffer and crashes. Signed-off-by: Anand V. Avati <avati@blackhole.gluster.com> Signed-off-by: Vijay Bellur <vijay@dev.gluster.com> BUG: 999 (Crash in nfs3_fh_resolve_and_resume) URL: http://bugs.gluster.com/cgi-bin/bugzilla3/show_bug.cgi?id=999
-rw-r--r--xlators/nfs/server/src/nfs3.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/xlators/nfs/server/src/nfs3.c b/xlators/nfs/server/src/nfs3.c
index a81676d1775..fe265ed73f8 100644
--- a/xlators/nfs/server/src/nfs3.c
+++ b/xlators/nfs/server/src/nfs3.c
@@ -2096,6 +2096,7 @@ nfs3svc_write_vec (rpcsvc_request_t *req, struct iobuf *iob)
write3args *args = NULL;
int ret = RPCSVC_ACTOR_ERROR;
struct iovec payload = {0, };
+ struct nfs3_fh fh = {{0}, };
if ((!req) || (!iob))
return ret;
@@ -2103,8 +2104,9 @@ nfs3svc_write_vec (rpcsvc_request_t *req, struct iobuf *iob)
args = nfs_rpcsvc_request_private (req);
iobuf_to_iovec (iob, &payload);
iobuf_ref (iob);
- ret = nfs3_write (req, (struct nfs3_fh *)args->file.data.data_val,
- args->offset, args->count, args->stable, payload,iob);
+ memcpy (&fh, args->file.data.data_val, args->file.data.data_len);
+ ret = nfs3_write (req, &fh, args->offset, args->count, args->stable,
+ payload,iob);
xdr_free_write3args_nocopy (args);
GF_FREE (args);
if (ret < 0) {