diff options
author | Sascha Hauer <s.hauer@pengutronix.de> | 2021-05-11 10:49:26 +0200 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2021-05-12 07:31:48 +0200 |
commit | ce0103c4d585a41d7e158e8d211502910752bfd9 (patch) | |
tree | 5a50f2801fb3aa78396f5b6be5f6bce9bed09854 | |
parent | b1d6710dce6f2f5b7dff4d6f127a75acad8da9af (diff) | |
download | barebox-ce0103c4d585a41d7e158e8d211502910752bfd9.tar.gz barebox-ce0103c4d585a41d7e158e8d211502910752bfd9.tar.xz |
fs: nfs: Fix readlink max size check
We must at maximum use all remaining bytes from the packet. This means
we have to set length to the *minimum* of the desired length and the
remaining bytes, not the *maximum*.
/me goes hiding somewhere...
Fixes: 574ce99401 ("fs: nfs: Fix possible buffer overflow")
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
-rw-r--r-- | fs/nfs.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -1125,7 +1125,7 @@ static int nfs_readlink_req(struct nfs_priv *npriv, struct nfs_fh *fh, len = ntoh32(net_read_uint32(p)); /* new path length */ - len = max_t(unsigned int, len, + len = min_t(unsigned int, len, nfs_packet->len - sizeof(struct rpc_reply) - sizeof(uint32_t)); p++; |