Hi,
got this for inline_xdr_string:
- I don't get why strlen is called on FREE, we don't need size to
actually be set for it and if it's a free after a decode that failed
(e.g. hit maxlen) then the pointer is not valid
- hence don't trust size for op FREE and early bailout. That's what the
other xdr functions I looked at (bytes/array) do
diff --git a/ntirpc/rpc/xdr_inline.h b/ntirpc/rpc/xdr_inline.h
index 1e85cba..48c4d8a 100644
--- a/ntirpc/rpc/xdr_inline.h
+++ b/ntirpc/rpc/xdr_inline.h
@@ -654,32 +654,32 @@ inline_xdr_string(XDR *xdrs, char **cpp, u_int
maxsize)
u_int size = 0; /* XXX remove warning */
u_int nodesize;
/*
* first deal with the length since xdr strings are
counted-strings
*/
switch (xdrs->x_op) {
case XDR_FREE:
if (sp == NULL)
return (true); /* already free */
- /* FALLTHROUGH */
+ break;
case XDR_ENCODE:
if (sp == NULL)
return false;
size = strlen(sp);
break;
case XDR_DECODE:
break;
}
if (!inline_xdr_u_int(xdrs, &size))
return (false);
- if (size > maxsize)
+ if (size > maxsize && xdrs->x_op != XDR_FREE)
return (false);
nodesize = size + 1;
if (nodesize == 0) {
/* This means an overflow. It a bug in the caller which
* provided a too large maxsize but nevertheless catch
it
* here.
*/
return false;
}
--
Dominique
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
