diff options
| author | Anand Avati <avati@gluster.com> | 2010-10-12 02:25:46 +0000 |
|---|---|---|
| committer | Vijay Bellur <vijay@dev.gluster.com> | 2010-10-12 01:39:41 -0700 |
| commit | ed4975b13db3220d461b8ea2a764efd6572e156a (patch) | |
| tree | 3b08b1ee326d6394f15224a42225bd80373ec9a3 /xlators/nfs/server/src/nfs3.c | |
| parent | 48672d26a01f3ce443479b19820e2822a6c650f6 (diff) | |
nfs: avoid assignment of structure pointer into serialized buffer
With the introduction of variable sized file handle feature in NFS,
on-wire lengths of file handles can be lesser than file handle structure
of code. Direct pointer assignment into the offsetted buffer and
dereference and result in reads beyond the end of buffer and crashes.
Signed-off-by: Anand V. Avati <avati@blackhole.gluster.com>
Signed-off-by: Vijay Bellur <vijay@dev.gluster.com>
BUG: 999 (Crash in nfs3_fh_resolve_and_resume)
URL: http://bugs.gluster.com/cgi-bin/bugzilla3/show_bug.cgi?id=999
Diffstat (limited to 'xlators/nfs/server/src/nfs3.c')
| -rw-r--r-- | xlators/nfs/server/src/nfs3.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/xlators/nfs/server/src/nfs3.c b/xlators/nfs/server/src/nfs3.c index a81676d1775..fe265ed73f8 100644 --- a/xlators/nfs/server/src/nfs3.c +++ b/xlators/nfs/server/src/nfs3.c @@ -2096,6 +2096,7 @@ nfs3svc_write_vec (rpcsvc_request_t *req, struct iobuf *iob) write3args *args = NULL; int ret = RPCSVC_ACTOR_ERROR; struct iovec payload = {0, }; + struct nfs3_fh fh = {{0}, }; if ((!req) || (!iob)) return ret; @@ -2103,8 +2104,9 @@ nfs3svc_write_vec (rpcsvc_request_t *req, struct iobuf *iob) args = nfs_rpcsvc_request_private (req); iobuf_to_iovec (iob, &payload); iobuf_ref (iob); - ret = nfs3_write (req, (struct nfs3_fh *)args->file.data.data_val, - args->offset, args->count, args->stable, payload,iob); + memcpy (&fh, args->file.data.data_val, args->file.data.data_len); + ret = nfs3_write (req, &fh, args->offset, args->count, args->stable, + payload,iob); xdr_free_write3args_nocopy (args); GF_FREE (args); if (ret < 0) { |