--xHFwDpU9dbj6ez1V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Sep 26, 2002 at 11:24:55PM +0200, Manuel Bouyer wrote:
> Well, this would be a bug in the client, then :)
> We should probably sanity-check what we get from network, but then the whole
> NFS code needs to be audited. That's more than what I can do at this time.
> I can fix this one however. Would anyone object to the attached patch ?

I commited the attached patch. In addition to checking for quad_t overflow,
it also check for flush request past end of file.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
--

--xHFwDpU9dbj6ez1V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=diff

Index: nfs_serv.c
===================================================================
RCS file: /cvsroot/syssrc/sys/nfs/nfs_serv.c,v
retrieving revision 1.64
diff -u -r1.64 nfs_serv.c
--- nfs_serv.c	2002/09/26 20:41:25	1.64
+++ nfs_serv.c	2002/09/27 19:28:33
@@ -2989,7 +2989,7 @@
 	int error = 0, rdonly, for_ret = 1, aft_ret = 1, cnt, cache;
 	char *cp2;
 	struct mbuf *mb, *mb2, *mreq;
-	u_quad_t frev, off;
+	u_quad_t frev, off, end;
 
 #ifndef nolint
 	cache = 0;
@@ -3009,10 +3009,10 @@
 		return (0);
 	}
 	for_ret = VOP_GETATTR(vp, &bfor, cred, procp);
-	if (cnt > 0)
-		error = VOP_FSYNC(vp, cred, FSYNC_WAIT, off, off + cnt, procp);
-	else
-		error = VOP_FSYNC(vp, cred, FSYNC_WAIT, off, vp->v_size, procp);
+	end = (cnt > 0) ? off + cnt : vp->v_size;
+	if (end < off || end > vp->v_size)
+		end = vp->v_size;
+	error = VOP_FSYNC(vp, cred, FSYNC_WAIT, off, end, procp);
 	aft_ret = VOP_GETATTR(vp, &aft, cred, procp);
 	vput(vp);
 	nfsm_reply(NFSX_V3WCCDATA + NFSX_V3WRITEVERF);

--xHFwDpU9dbj6ez1V--