nfsd4: fix bad bounds checking

[karo-tx-linux.git] / fs / nfsd / nfs4xdr.c

diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 51c9e9ca39a4d7c5e0537a2cafed4ec9caeb789d..12935209deca4410b3e2d261d8127b0847c0b709 100644 (file)
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1072,8 +1072,9 @@ nfsd4_decode_rename(struct nfsd4_compoundargs *argp, struct nfsd4_rename *rename
 
        READ_BUF(4);
        rename->rn_snamelen = be32_to_cpup(p++);
-       READ_BUF(rename->rn_snamelen + 4);
+       READ_BUF(rename->rn_snamelen);
        SAVEMEM(rename->rn_sname, rename->rn_snamelen);
+       READ_BUF(4);
        rename->rn_tnamelen = be32_to_cpup(p++);
        READ_BUF(rename->rn_tnamelen);
        SAVEMEM(rename->rn_tname, rename->rn_tnamelen);
@@ -1155,13 +1156,14 @@ nfsd4_decode_setclientid(struct nfsd4_compoundargs *argp, struct nfsd4_setclient
        READ_BUF(8);
        setclientid->se_callback_prog = be32_to_cpup(p++);
        setclientid->se_callback_netid_len = be32_to_cpup(p++);
-
-       READ_BUF(setclientid->se_callback_netid_len + 4);
+       READ_BUF(setclientid->se_callback_netid_len);
        SAVEMEM(setclientid->se_callback_netid_val, setclientid->se_callback_netid_len);
+       READ_BUF(4);
        setclientid->se_callback_addr_len = be32_to_cpup(p++);
 
-       READ_BUF(setclientid->se_callback_addr_len + 4);
+       READ_BUF(setclientid->se_callback_addr_len);
        SAVEMEM(setclientid->se_callback_addr_val, setclientid->se_callback_addr_len);
+       READ_BUF(4);
        setclientid->se_callback_ident = be32_to_cpup(p++);
 
        DECODE_TAIL;
@@ -1815,8 +1817,9 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp)
 
        READ_BUF(4);
        argp->taglen = be32_to_cpup(p++);
-       READ_BUF(argp->taglen + 8);
+       READ_BUF(argp->taglen);
        SAVEMEM(argp->tag, argp->taglen);
+       READ_BUF(8);
        argp->minorversion = be32_to_cpup(p++);
        argp->opcnt = be32_to_cpup(p++);
        max_reply += 4 + (XDR_QUADLEN(argp->taglen) << 2);