From ed4975b13db3220d461b8ea2a764efd6572e156a Mon Sep 17 00:00:00 2001 From: Anand Avati Date: Tue, 12 Oct 2010 02:25:46 +0000 Subject: nfs: avoid assignment of structure pointer into serialized buffer With the introduction of variable sized file handle feature in NFS, on-wire lengths of file handles can be lesser than file handle structure of code. Direct pointer assignment into the offsetted buffer and dereference and result in reads beyond the end of buffer and crashes. Signed-off-by: Anand V. Avati Signed-off-by: Vijay Bellur BUG: 999 (Crash in nfs3_fh_resolve_and_resume) URL: http://bugs.gluster.com/cgi-bin/bugzilla3/show_bug.cgi?id=999 --- xlators/nfs/server/src/nfs3.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'xlators') diff --git a/xlators/nfs/server/src/nfs3.c b/xlators/nfs/server/src/nfs3.c index a81676d17..fe265ed73 100644 --- a/xlators/nfs/server/src/nfs3.c +++ b/xlators/nfs/server/src/nfs3.c @@ -2096,6 +2096,7 @@ nfs3svc_write_vec (rpcsvc_request_t *req, struct iobuf *iob) write3args *args = NULL; int ret = RPCSVC_ACTOR_ERROR; struct iovec payload = {0, }; + struct nfs3_fh fh = {{0}, }; if ((!req) || (!iob)) return ret; @@ -2103,8 +2104,9 @@ nfs3svc_write_vec (rpcsvc_request_t *req, struct iobuf *iob) args = nfs_rpcsvc_request_private (req); iobuf_to_iovec (iob, &payload); iobuf_ref (iob); - ret = nfs3_write (req, (struct nfs3_fh *)args->file.data.data_val, - args->offset, args->count, args->stable, payload,iob); + memcpy (&fh, args->file.data.data_val, args->file.data.data_len); + ret = nfs3_write (req, &fh, args->offset, args->count, args->stable, + payload,iob); xdr_free_write3args_nocopy (args); GF_FREE (args); if (ret < 0) { -- cgit