Hi, got this for inline_xdr_string: - I don't get why strlen is called on FREE, we don't need size to actually be set for it and if it's a free after a decode that failed (e.g. hit maxlen) then the pointer is not valid - hence don't trust size for op FREE and early bailout. That's what the other xdr functions I looked at (bytes/array) do
diff --git a/ntirpc/rpc/xdr_inline.h b/ntirpc/rpc/xdr_inline.h index 1e85cba..48c4d8a 100644 --- a/ntirpc/rpc/xdr_inline.h +++ b/ntirpc/rpc/xdr_inline.h @@ -654,32 +654,32 @@ inline_xdr_string(XDR *xdrs, char **cpp, u_int maxsize) u_int size = 0; /* XXX remove warning */ u_int nodesize; /* * first deal with the length since xdr strings are counted-strings */ switch (xdrs->x_op) { case XDR_FREE: if (sp == NULL) return (true); /* already free */ - /* FALLTHROUGH */ + break; case XDR_ENCODE: if (sp == NULL) return false; size = strlen(sp); break; case XDR_DECODE: break; } if (!inline_xdr_u_int(xdrs, &size)) return (false); - if (size > maxsize) + if (size > maxsize && xdrs->x_op != XDR_FREE) return (false); nodesize = size + 1; if (nodesize == 0) { /* This means an overflow. It a bug in the caller which * provided a too large maxsize but nevertheless catch it * here. */ return false; } -- Dominique ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Nfs-ganesha-devel mailing list Nfs-ganesha-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel