From: Dan Carpenter <dan.carpenter@oracle.com>

Date: Tue, 11 May 2021 11:49:42 +0300

Subject: [PATCH] NFS: fix an incorrect limit in filelayout_decode_layout()

Git-commit: 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8

Patch-mainline: v5.13-rc4

References: git-fixes

The "sizeof(struct nfs_fh)" is two bytes too large and could lead to

memory corruption.  It should be NFS_MAXFHSIZE because that's the size

of the ->data[] buffer.

I reversed the size of the arguments to put the variable on the left.

Fixes: 16b374ca439f ("NFSv4.1: pnfs: filelayout: add driver's LAYOUTGET and GETDEVICEINFO infrastructure")

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>

Acked-by: NeilBrown <neilb@suse.com>

---

 fs/nfs/filelayout/filelayout.c |    2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/filelayout/filelayout.c

+++ b/fs/nfs/filelayout/filelayout.c

@@ -717,7 +717,7 @@ filelayout_decode_layout(struct pnfs_lay

 		if (unlikely(!p))

 			goto out_err;

 		fl->fh_array[i]->size = be32_to_cpup(p++);

-		if (sizeof(struct nfs_fh) < fl->fh_array[i]->size) {

+		if (fl->fh_array[i]->size > NFS_MAXFHSIZE) {

 			printk(KERN_ERR "NFS: Too big fh %d received %d\n",

 			       i, fl->fh_array[i]->size);

 			goto out_err;