NFS: Fix a buffer overflow in the allocation of struct nfs_read/writedata

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
author: Trond Myklebust <Trond.Myklebust@netapp.com> 2007-04-10 09:26:35 -0400
committer: Trond Myklebust <Trond.Myklebust@netapp.com> 2007-04-30 22:17:07 -0700
commit: 8d5658c949e6d89edc579a1f112aeee3bc232a8e (patch)
tree: f206d3f6809eeb0ca23c1999cf79aa294968b113 /fs/nfs/direct.c
parent: c63c7b051395368573779c8309aa5c990dcf2f96 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
index 2877744cb60..889de60f8a8 100644
--- a/fs/nfs/direct.c
+++ b/fs/nfs/direct.c
@@ -54,6 +54,7 @@
 #include <asm/uaccess.h>
 #include <asm/atomic.h>
 
+#include "internal.h"
 #include "iostat.h"
 
 #define NFSDBG_FACILITY		NFSDBG_VFS
@@ -271,7 +272,7 @@ static ssize_t nfs_direct_read_schedule(struct nfs_direct_req *dreq, unsigned lo
 		bytes = min(rsize,count);
 
 		result = -ENOMEM;
-		data = nfs_readdata_alloc(pgbase + bytes);
+		data = nfs_readdata_alloc(nfs_page_array_len(pgbase, bytes));
 		if (unlikely(!data))
 			break;
 
@@ -602,7 +603,7 @@ static ssize_t nfs_direct_write_schedule(struct nfs_direct_req *dreq, unsigned l
 		bytes = min(wsize,count);
 
 		result = -ENOMEM;
-		data = nfs_writedata_alloc(pgbase + bytes);
+		data = nfs_writedata_alloc(nfs_page_array_len(pgbase, bytes));
 		if (unlikely(!data))
 			break;
author	Trond Myklebust <Trond.Myklebust@netapp.com>	2007-04-10 09:26:35 -0400
committer	Trond Myklebust <Trond.Myklebust@netapp.com>	2007-04-30 22:17:07 -0700
commit	8d5658c949e6d89edc579a1f112aeee3bc232a8e (patch)
tree	f206d3f6809eeb0ca23c1999cf79aa294968b113 /fs/nfs/direct.c
parent	c63c7b051395368573779c8309aa5c990dcf2f96 (diff)