Fix memory corruption caused by nfsd readdir+
authorPetr Vandrovec <petr@vandrovec.name>
Sat, 14 Nov 2009 09:47:07 +0000 (10:47 +0100)
committerLinus Torvalds <torvalds@linux-foundation.org>
Sat, 14 Nov 2009 20:55:55 +0000 (12:55 -0800)
Commit 8177e6d6dfb9cd03d9bdeb647c32161f8f58f686 ("nfsd: clean up
readdirplus encoding") introduced single character typo in nfs3 readdir+
implementation.  Unfortunately that typo has quite bad side effects:
random memory corruption, followed (on my box) with immediate
spontaneous box reboot.

Using 'p1' instead of 'p' fixes my Linux box rebooting whenever VMware
ESXi box tries to list contents of my home directory.

Signed-off-by: Petr Vandrovec <petr@vandrovec.name>
Cc: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Neil Brown <neilb@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/nfsd/nfs3xdr.c

index edf926e1062f8be520b4b64de72e9f26e7aaa0f6..d0a2ce1b43248a6eacbff2b4804314c57b898cbc 100644 (file)
@@ -958,7 +958,7 @@ encode_entry(struct readdir_cd *ccd, const char *name, int namlen,
                p1 = encode_entry_baggage(cd, p1, name, namlen, ino);
 
                if (plus)
                p1 = encode_entry_baggage(cd, p1, name, namlen, ino);
 
                if (plus)
-                       p = encode_entryplus_baggage(cd, p1, name, namlen);
+                       p1 = encode_entryplus_baggage(cd, p1, name, namlen);
 
                /* determine entry word length and lengths to go in pages */
                num_entry_words = p1 - tmp;
 
                /* determine entry word length and lengths to go in pages */
                num_entry_words = p1 - tmp;