From: NeilBrown There are a couple of tests which could possibly be confused by extremely large numbers appearing in 'xdr' packets. I think the closest to an exploit you could get would be writing random data from a free page into a file - i.e. leak data out of kernel space. I'm fairly sure they cannot be used for remote compromise. Signed-off-by: Neil Brown Signed-off-by: Andrew Morton --- fs/nfsd/nfs3xdr.c | 3 ++- include/linux/nfsd/xdr3.h | 2 +- include/linux/sunrpc/svc.h | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff -puN fs/nfsd/nfs3xdr.c~knfsd-fix-some-minor-sign-problems-in-nfsd-xdr fs/nfsd/nfs3xdr.c --- 25/fs/nfsd/nfs3xdr.c~knfsd-fix-some-minor-sign-problems-in-nfsd-xdr Fri Oct 14 12:27:34 2005 +++ 25-akpm/fs/nfsd/nfs3xdr.c Fri Oct 14 12:27:34 2005 @@ -366,7 +366,8 @@ nfs3svc_decode_writeargs(struct svc_rqst len = args->len = ntohl(*p++); hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; - if (rqstp->rq_arg.len < len + hdr) + if (rqstp->rq_arg.len < hdr || + rqstp->rq_arg.len - hdr < len) return 0; args->vec[0].iov_base = (void*)p; diff -puN include/linux/nfsd/xdr3.h~knfsd-fix-some-minor-sign-problems-in-nfsd-xdr include/linux/nfsd/xdr3.h --- 25/include/linux/nfsd/xdr3.h~knfsd-fix-some-minor-sign-problems-in-nfsd-xdr Fri Oct 14 12:27:34 2005 +++ 25-akpm/include/linux/nfsd/xdr3.h Fri Oct 14 12:27:34 2005 @@ -42,7 +42,7 @@ struct nfsd3_writeargs { __u64 offset; __u32 count; int stable; - int len; + __u32 len; struct kvec vec[RPCSVC_MAXPAGES]; int vlen; }; diff -puN include/linux/sunrpc/svc.h~knfsd-fix-some-minor-sign-problems-in-nfsd-xdr include/linux/sunrpc/svc.h --- 25/include/linux/sunrpc/svc.h~knfsd-fix-some-minor-sign-problems-in-nfsd-xdr Fri Oct 14 12:27:34 2005 +++ 25-akpm/include/linux/sunrpc/svc.h Fri Oct 14 12:27:34 2005 @@ -171,7 +171,8 @@ xdr_argsize_check(struct svc_rqst *rqstp { char *cp = (char *)p; struct kvec *vec = &rqstp->rq_arg.head[0]; - return cp - (char*)vec->iov_base <= vec->iov_len; + return cp >= (char*)vec->iov_base + && cp <= (char*)vec->iov_base + vec->iov_len; } static inline int _