Attachment #39735 for bug #93652

View | Details | Raw Unified | Return to bug 93652
Collapse All | Expand All




			return -EINVAL;
	} else {
		if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
		    desc->array_len > (buf->len - base - 4) / desc->elem_size)
				    desc->elem_size > buf->len)
			return -EINVAL;
	}
	base += 4;

xdr_encode_array2(struct xdr_buf *buf, unsigned int base,
		  struct xdr_array2_desc *desc)
{
	if (buf->head->iov_len + buf->page_len + buf->tail->iov_len -
	    base < desc->array_len * desc->elem_size + 4)
		return -EINVAL;

	return xdr_xcode_array2(buf, base, desc, 1);

Return to bug 93652

Lines 989-996 xdr_xcode_array2(struct xdr_buf *buf, un Link Here

(-)linux-2.6.5/net/sunrpc/xdr.c (-4 / +3 lines)
989	return -EINVAL;	989	return -EINVAL;
990	} else {	990	} else {
991	if (xdr_decode_word(buf, base, &desc->array_len) != 0 \|\|	991	if (xdr_decode_word(buf, base, &desc->array_len) != 0 \|\|
992	(unsigned long) base + 4 + desc->array_len *	992	desc->array_len > (buf->len - base - 4) / desc->elem_size)
993	desc->elem_size > buf->len)
994	return -EINVAL;	993	return -EINVAL;
995	}	994	}
996	base += 4;	995	base += 4;
Lines 1158-1165 int Link Here
1158	xdr_encode_array2(struct xdr_buf *buf, unsigned int base,	1157	xdr_encode_array2(struct xdr_buf *buf, unsigned int base,
1159	struct xdr_array2_desc *desc)	1158	struct xdr_array2_desc *desc)
1160	{	1159	{
1161	if ((unsigned long) base + 4 + desc->array_len * desc->elem_size >	1160	if (buf->head->iov_len + buf->page_len + buf->tail->iov_len -
1162	buf->head->iov_len + buf->page_len + buf->tail->iov_len)	1161	base < desc->array_len * desc->elem_size + 4)
1163	return -EINVAL;	1162	return -EINVAL;
1164		1163
1165	return xdr_xcode_array2(buf, base, desc, 1);	1164	return xdr_xcode_array2(buf, base, desc, 1);