linux/fs/nfsd
J. Bruce Fields 51f5677777 nfsd: check for oversized NFSv2/v3 arguments
A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.

Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply.  This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE).  But a client that sends an incorrectly long reply
can violate those assumptions.  This was observed to cause crashes.

So, insist that the argument not be any longer than we expect.

Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.

As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2017-04-25 17:25:53 -04:00
..
acl.h
auth.c cred: simpler, 1D supplementary groups 2016-10-07 18:46:30 -07:00
auth.h
blocklayout.c fs: add i_blocksize() 2017-02-27 18:43:46 -08:00
blocklayoutxdr.c Highlights: 2016-08-04 19:59:06 -04:00
blocklayoutxdr.h nfsd: add SCSI layout support 2016-03-18 11:42:53 -04:00
cache.h
current_stateid.h
export.c nfsd: opt in to labeled nfs per export 2017-01-31 12:31:54 -05:00
export.h nfsd: allow nfsd to advertise multiple layout types 2016-07-15 15:31:32 -04:00
fault_inject.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
flexfilelayout.c nfsd: don't set a FL_LAYOUT lease for flexfiles layouts 2016-09-16 16:15:52 -04:00
flexfilelayoutxdr.c nfsd: Add a super simple flex file server 2016-07-13 15:40:48 -04:00
flexfilelayoutxdr.h nfsd: Add a super simple flex file server 2016-07-13 15:40:48 -04:00
idmap.h
Kconfig block: make scsi_request and scsi ioctl support optional 2017-01-31 10:53:05 -07:00
lockd.c lockd: constify nlmsvc_binding structure 2016-01-07 10:10:50 -05:00
Makefile nfsd: Add a super simple flex file server 2016-07-13 15:40:48 -04:00
netns.h netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
nfs2acl.c sunrpc: turn bitfield flags in svc_version into bools 2017-02-24 15:50:08 -05:00
nfs3acl.c sunrpc: turn bitfield flags in svc_version into bools 2017-02-24 15:50:08 -05:00
nfs3proc.c NFSD: cleanup dead codes and values in nfsd_write 2017-01-31 12:31:53 -05:00
nfs3xdr.c nfsd: check for oversized NFSv2/v3 arguments 2017-04-25 17:25:53 -04:00
nfs4acl.c nfsd: check permissions when setting ACLs 2016-06-24 12:11:52 -04:00
nfs4callback.c nfsd/callback: Drop a useless data copy when comparing sessionid 2017-02-17 16:26:02 -05:00
nfs4idmap.c nfsd/idmap: return nfserr_inval for 0-length names 2017-02-17 16:25:59 -05:00
nfs4layouts.c driver core patches for 4.11-rc1 2017-02-22 11:44:32 -08:00
nfs4proc.c nfsd: fix oops on unsupported operation 2017-04-13 11:18:56 -04:00
nfs4recover.c Various bugfixes, a RDMA update from Chuck Lever, and support for a new 2016-03-24 10:41:00 -07:00
nfs4state.c nfsd: remove superfluous KERN_INFO 2017-02-24 15:45:13 -05:00
nfs4xdr.c statx: Add a system call to make enhanced file info available 2017-03-02 20:51:15 -05:00
nfscache.c lib/vsprintf.c: remove %Z support 2017-02-27 18:43:47 -08:00
nfsctl.c NFSD: further refinement of content of /proc/fs/nfsd/versions 2017-03-10 17:04:50 -05:00
nfsd.h nfsd: constify nfsd_suppatttrs 2017-01-31 12:31:54 -05:00
nfsfh.c nfsd: check d_can_lookup in fh_verify of directories 2016-08-04 17:11:48 -04:00
nfsfh.h wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
nfsproc.c nfsd: map the ENOKEY to nfserr_perm for avoiding warning 2017-03-10 16:54:55 -05:00
nfssvc.c nfsd: check for oversized NFSv2/v3 arguments 2017-04-25 16:34:37 -04:00
nfsxdr.c nfsd: check for oversized NFSv2/v3 arguments 2017-04-25 17:25:53 -04:00
pnfs.h nfsd: don't set a FL_LAYOUT lease for flexfiles layouts 2016-09-16 16:15:52 -04:00
state.h nfsd/callback: Cleanup callback cred on shutdown 2017-02-17 16:26:00 -05:00
stats.c drop redundant ->owner initializations 2016-05-29 19:08:00 -04:00
stats.h
trace.c
trace.h nfsd: add new io class tracepoint 2016-01-14 17:32:51 -05:00
vfs.c nfsd: special case truncates some more 2017-02-21 10:13:37 -05:00
vfs.h statx: Add a system call to make enhanced file info available 2017-03-02 20:51:15 -05:00
xdr3.h
xdr4.h NFSD: Implement the COPY call 2016-10-07 14:54:25 -04:00
xdr4cb.h nfsd: plumb in a CB_NOTIFY_LOCK operation 2016-09-26 15:20:35 -04:00
xdr.h