NFSD: Protect against send buffer overflow in NFSv2 READDIR (00b44926) · Commits · EulixOS / Software / Kernel

fs/nfsd/nfsproc.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -567,12 +567,11 @@ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp,
		struct xdr_buf *buf = &resp->dirlist;
		struct xdr_stream *xdr = &resp->xdr;

		count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));

		memset(buf, 0, sizeof(*buf));

		/* Reserve room for the NULL ptr & eof flag (-2 words) */
		buf->buflen = count - XDR_UNIT * 2;
		buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), (u32)PAGE_SIZE);
		buf->buflen -= XDR_UNIT * 2;
		buf->pages = rqstp->rq_next_page;
		rqstp->rq_next_page++;