Skip to content

Commit

Permalink
NFS4: avoid underflow when converting error to pointer.
Browse files Browse the repository at this point in the history 
In nfs4_create_sec_client, 'flavor' can hold a negative error
code (returned from nfs4_negotiate_security), even though it
is an 'enum' and hence unsigned.

The code is careful to cast it to an (int) before testing if it
is negative, however it doesn't cast to an (int) before calling
ERR_PTR.

On a machine where "void*" is larger than "int", this results in
the unsigned equivalent of -1 (e.g. 0xffffffff) being converted
to a pointer.  Subsequent code determines that this is not
negative, and so  dereferences it with predictable results.

So: cast 'flavor' to a (signed) int before passing to ERR_PTR.

cc: Benny Halevy <bhalevy@tonian.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
  • Loading branch information
NeilBrown authored and Trond Myklebust committed Sep 25, 2012
1 parent e8d920c commit 62d98c9
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion fs/nfs/nfs4namespace.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,7 @@ struct rpc_clnt *nfs4_create_sec_client(struct rpc_clnt *clnt, struct inode *ino

flavor = nfs4_negotiate_security(inode, name);
if ((int)flavor < 0)
return ERR_PTR(flavor);
return ERR_PTR((int)flavor);

clone = rpc_clone_client(clnt);
if (IS_ERR(clone))
Expand Down

0 comments on commit 62d98c9

Please sign in to comment.