if:
offset = 64bit - 2KB
len = 4KB
then the server will allow the read/write because the check
if (((ssize_t)((off_t)request.from + len) > client->exportsize))
will never trigger as client->exportsize will be compared with... offset
2KB!
continue;
}
+ if (request.from + len < request.from) { // 64 bit overflow!!
+ DEBUG("[RANGE!]");
+ ERROR(client, reply, EINVAL);
+ continue;
+ }
+
if (((ssize_t)((off_t)request.from + len) > client->exportsize)) {
DEBUG("[RANGE!]");
ERROR(client, reply, EINVAL);