iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

NFSv4.2: Don't error when exiting early on a READ_PLUS buffer overflow

Browse Source 
Expanding the READ_PLUS extents can cause the read buffer to overflow.
If it does, then don't error, but just exit early.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
This commit is contained in:
Trond Myklebust 2020-12-08 07:51:29 -05:00
parent dac3b1059b
commit 503b934a75
1 changed files with 17 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
fs/nfs/nfs42xdr.c
View File

@ -1025,16 +1025,16 @@ static int decode_deallocate(struct xdr_stream *xdr, struct nfs42_falloc_res *re
return decode_op_hdr(xdr, OP_DEALLOCATE); return decode_op_hdr(xdr, OP_DEALLOCATE);
} }
static int decode_read_plus_data(struct xdr_stream *xdr, struct nfs_pgio_res *res, static int decode_read_plus_data(struct xdr_stream *xdr,
uint32_t *eof) struct nfs_pgio_res *res)
{ {
uint32_t count, recvd; uint32_t count, recvd;
uint64_t offset; uint64_t offset;
__be32 *p; __be32 *p;
p = xdr_inline_decode(xdr, 8 + 4); p = xdr_inline_decode(xdr, 8 + 4);
if (unlikely(!p)) if (!p)
return -EIO; return 1;
p = xdr_decode_hyper(p, &offset); p = xdr_decode_hyper(p, &offset);
count = be32_to_cpup(p); count = be32_to_cpup(p);
@ -1043,13 +1043,8 @@ static int decode_read_plus_data(struct xdr_stream *xdr, struct nfs_pgio_res *re
recvd = count; recvd = count;
res->count += recvd; res->count += recvd;
if (count > recvd) { if (count > recvd)
dprintk("NFS: server cheating in read reply: "
"count %u > recvd %u\n", count, recvd);
*eof = 0;
return 1; return 1;
}
return 0; return 0;
} }
@ -1061,8 +1056,8 @@ static int decode_read_plus_hole(struct xdr_stream *xdr,
__be32 *p; __be32 *p;
p = xdr_inline_decode(xdr, 8 + 8); p = xdr_inline_decode(xdr, 8 + 8);
if (unlikely(!p)) if (!p)
return -EIO; return 1;
p = xdr_decode_hyper(p, &offset); p = xdr_decode_hyper(p, &offset);
p = xdr_decode_hyper(p, &length); p = xdr_decode_hyper(p, &length);
@ -1089,10 +1084,8 @@ static int decode_read_plus_hole(struct xdr_stream *xdr,
recvd = xdr_expand_hole(xdr, res->count, length); recvd = xdr_expand_hole(xdr, res->count, length);
res->count += recvd; res->count += recvd;
if (recvd < length) { if (recvd < length)
*eof = 0;
return 1; return 1;
}
return 0; return 0;
} }
@ -1121,12 +1114,12 @@ static int decode_read_plus(struct xdr_stream *xdr, struct nfs_pgio_res *res)
for (i = 0; i < segments; i++) { for (i = 0; i < segments; i++) {
p = xdr_inline_decode(xdr, 4); p = xdr_inline_decode(xdr, 4);
if (unlikely(!p)) if (!p)
return -EIO; goto early_out;
type = be32_to_cpup(p++); type = be32_to_cpup(p++);
if (type == NFS4_CONTENT_DATA) if (type == NFS4_CONTENT_DATA)
status = decode_read_plus_data(xdr, res, &eof); status = decode_read_plus_data(xdr, res);
else if (type == NFS4_CONTENT_HOLE) else if (type == NFS4_CONTENT_HOLE)
status = decode_read_plus_hole(xdr, args, res, &eof); status = decode_read_plus_hole(xdr, args, res, &eof);
else else
@ -1135,12 +1128,17 @@ static int decode_read_plus(struct xdr_stream *xdr, struct nfs_pgio_res *res)
if (status < 0) if (status < 0)
return status; return status;
if (status > 0) if (status > 0)
break; goto early_out;
} }
out: out:
res->eof = eof; res->eof = eof;
return 0; return 0;
early_out:
if (unlikely(!i))
return -EIO;
res->eof = 0;
return 0;
} }
static int decode_seek(struct xdr_stream *xdr, struct nfs42_seek_res *res) static int decode_seek(struct xdr_stream *xdr, struct nfs42_seek_res *res)