From beb6cfdad55aed970d9c3232db536736e2171c25 Mon Sep 17 00:00:00 2001
From: Trond Myklebust <Trond.Myklebust@netapp.com>
Date: Wed, 10 Aug 2005 18:15:12 -0400
Subject: [PATCH] --- yaml --- r: 5799 b: refs/heads/master c:
 58fcb8df0bf663bb6b8f46cd3010bfe8d13d97cf h: refs/heads/master i:   5797:
 12fd579efbff4a85e44dec353081367e072850c6   5795:
 a35e60a7a2389f30e1b7525c1fe08a44fd05716c   5791:
 a70f423557bf1d54055684c3beeaf3604cb79efa v: v3

---
 [refs]                           | 2 +-
 trunk/fs/nfs_common/nfsacl.c     | 1 +
 trunk/include/linux/sunrpc/xdr.h | 1 +
 trunk/net/sunrpc/xdr.c           | 1 +
 4 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index ebc99e32a0bb..7b8f80eb09cd 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 75cd968ab251ac84dd3a5dc252af7036dc4a64f4
+refs/heads/master: 58fcb8df0bf663bb6b8f46cd3010bfe8d13d97cf
diff --git a/trunk/fs/nfs_common/nfsacl.c b/trunk/fs/nfs_common/nfsacl.c
index 18c58c32e326..251e5a1bb1c4 100644
--- a/trunk/fs/nfs_common/nfsacl.c
+++ b/trunk/fs/nfs_common/nfsacl.c
@@ -239,6 +239,7 @@ nfsacl_decode(struct xdr_buf *buf, unsigned int base, unsigned int *aclcnt,
 	if (xdr_decode_word(buf, base, &entries) ||
 	    entries > NFS_ACL_MAX_ENTRIES)
 		return -EINVAL;
+	nfsacl_desc.desc.array_maxlen = entries;
 	err = xdr_decode_array2(buf, base + 4, &nfsacl_desc.desc);
 	if (err)
 		return err;
diff --git a/trunk/include/linux/sunrpc/xdr.h b/trunk/include/linux/sunrpc/xdr.h
index 34ec3e8d99b3..23448d0fb5bc 100644
--- a/trunk/include/linux/sunrpc/xdr.h
+++ b/trunk/include/linux/sunrpc/xdr.h
@@ -177,6 +177,7 @@ typedef int (*xdr_xcode_elem_t)(struct xdr_array2_desc *desc, void *elem);
 struct xdr_array2_desc {
 	unsigned int elem_size;
 	unsigned int array_len;
+	unsigned int array_maxlen;
 	xdr_xcode_elem_t xcode;
 };
 
diff --git a/trunk/net/sunrpc/xdr.c b/trunk/net/sunrpc/xdr.c
index 8a4d9c106af1..fde16f40a581 100644
--- a/trunk/net/sunrpc/xdr.c
+++ b/trunk/net/sunrpc/xdr.c
@@ -993,6 +993,7 @@ xdr_xcode_array2(struct xdr_buf *buf, unsigned int base,
 			return -EINVAL;
 	} else {
 		if (xdr_decode_word(buf, base, &desc->array_len) != 0 ||
+		    desc->array_len > desc->array_maxlen ||
 		    (unsigned long) base + 4 + desc->array_len *
 				    desc->elem_size > buf->len)
 			return -EINVAL;