From 1f23ff72e9d0b555c44dca90a92c6379e5d52f3a Mon Sep 17 00:00:00 2001
From: Andrew Deason <adeason@sinenomine.net>
Date: Thu, 17 Dec 2009 15:16:50 -0600
Subject: [PATCH] Check viced FetchData length for cache bypass

Same fix as change I413393a7bacbf207332d7f904cf396c79b77b6b5, but for
the cache bypass code.

Change-Id: Ic181e257f7d0e1892bd10bf14d8d5571b4804d63
Reviewed-on: http://gerrit.openafs.org/1000
Tested-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
---
 src/afs/afs_bypasscache.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/afs/afs_bypasscache.c b/src/afs/afs_bypasscache.c
index 5ec1fce..dc1f3bd 100644
--- a/src/afs/afs_bypasscache.c
+++ b/src/afs/afs_bypasscache.c
@@ -303,7 +303,8 @@ static afs_int32
 afs_NoCacheFetchProc(register struct rx_call *acall, 
                      register struct vcache *avc, 
 					 register uio_t *auio, 
-                     afs_int32 release_pages)
+                     afs_int32 release_pages,
+		     afs_int32 size)
 {
     afs_int32 length;
     afs_int32 code;
@@ -336,6 +337,14 @@ afs_NoCacheFetchProc(register struct rx_call *acall,
 	    goto done;
 	} else
 	    length = ntohl(length);		
+
+	if (length > size) {
+	    result = EIO;
+	    afs_warn("Preread error. Got length %d, which is greater than size %d\n",
+	             length, size);
+	    unlock_pages(auio);
+	    goto done;
+	}
 					
 	/*
 	 * The fetch protocol is extended for the AFS/DFS translator
@@ -606,7 +615,8 @@ afs_PrefetchNoCache(register struct vcache *avc,
 #endif
 	    if (code == 0) {
 		code = afs_NoCacheFetchProc(tcall, avc, auio,
-				            1 /* release_pages */);
+				            1 /* release_pages */,
+					    bparms->length);
 	    } else {
 		afs_warn("BYPASS: StartRXAFS_FetchData failed: %d\n", code);
 		unlock_pages(auio);
-- 
1.9.4