From: Chuck Lever <chuck.lever@oracle.com>
Date: Thu, 23 Apr 2009 23:33:10 +0000 (-0400)
Subject: NFSD: Stricter buffer size checking in write_recoverydir()
X-Git-Tag: v2.6.31-rc1~57^2~41
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=3d72ab8fdd44c872633b210dd1a4afd2910d0bbb;p=karo-tx-linux.git

NFSD: Stricter buffer size checking in write_recoverydir()

While it's not likely a pathname will be longer than
SIMPLE_TRANSACTION_SIZE, we should be more careful about just
plopping it into the output buffer without bounds checking.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
---

diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index b64a7fbfccf5..c4843467cfd4 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1260,8 +1260,9 @@ static ssize_t __write_recoverydir(struct file *file, char *buf, size_t size)
 
 		status = nfs4_reset_recoverydir(recdir);
 	}
-	sprintf(buf, "%s\n", nfs4_recoverydir());
-	return strlen(buf);
+
+	return scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, "%s\n",
+							nfs4_recoverydir());
 }
 
 /**