>>>>> " " == Daniel Marmier <daniel.marmier@lightning.ch> writes:
> When booting 2.3.99-pre5 with root filesystem on NFS, I get a
> NULL pointer dereference in
> fs/nfs/mount_clnt.c:xdr_decode_fhstatus (l. 124) It is easily
> fixed by removing the line
> memset((u8 *)res, 0, sizeof(*res));
> that causes the pointer res->fh to be cleared. I guess the same
> applies to function xdr_decode_fhstatus3.
Oops... The following patch should implement what we really want to do
there: namely to zero out the file handle.
Cheers,
Trond
--- linux/fs/nfs/mount_clnt.c.orig Thu Apr 6 23:55:12 2000
+++ linux/fs/nfs/mount_clnt.c Thu Apr 13 10:08:52 2000
@@ -120,10 +120,12 @@
static int
xdr_decode_fhstatus(struct rpc_rqst *req, u32 *p, struct mnt_fhstatus *res)
{
- memset((u8 *)res, 0, sizeof(*res));
+ struct nfs_fh *fh = res->fh;
+
+ memset((void *)fh, 0, sizeof(*fh));
if ((res->status = ntohl(*p++)) == 0) {
- res->fh->size = NFS2_FHSIZE;
- memcpy(res->fh->data, p, NFS2_FHSIZE);
+ fh->size = NFS2_FHSIZE;
+ memcpy(fh->data, p, NFS2_FHSIZE);
}
return 0;
}
@@ -131,12 +133,14 @@
static int
xdr_decode_fhstatus3(struct rpc_rqst *req, u32 *p, struct mnt_fhstatus *res)
{
- memset((u8 *)res, 0, sizeof(*res));
+ struct nfs_fh *fh = res->fh;
+
+ memset((void *)fh, 0, sizeof(*fh));
if ((res->status = ntohl(*p++)) == 0) {
int size = ntohl(*p++);
if (size <= NFS3_FHSIZE) {
- res->fh->size = size;
- memcpy(res->fh->data, p, res->fh->size);
+ fh->size = size;
+ memcpy(fh->data, p, size);
} else
res->status = -EBADHANDLE;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Apr 15 2000 - 21:00:20 EST