diff options
author | Alex Shi <alex.shi@linaro.org> | 2017-05-31 12:02:43 +0800 |
---|---|---|
committer | Alex Shi <alex.shi@linaro.org> | 2017-05-31 12:02:43 +0800 |
commit | a898540914d4136f29bc738ce593c1c501006f23 (patch) | |
tree | 9440b7f76c029143611c89ed919718ba6ff353f4 /fs/nfsd/nfssvc.c | |
parent | d97f745e1d2fea4d2f308e5e06eee81a9a84f3f5 (diff) | |
parent | 56d847e3ef9433d7ac92376e4ba49d3cf3cb70d2 (diff) |
Merge tag 'v4.1.40' into linux-linaro-lsk-v4.1lsk-v4.1-17.06lsk-v4.1-17.05linux-linaro-lsk-v4.1
This is the 4.1.40 stable release
Diffstat (limited to 'fs/nfsd/nfssvc.c')
-rw-r--r-- | fs/nfsd/nfssvc.c | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c index 9277cc91c21b..c493427e9d69 100644 --- a/fs/nfsd/nfssvc.c +++ b/fs/nfsd/nfssvc.c @@ -647,6 +647,37 @@ static __be32 map_new_errors(u32 vers, __be32 nfserr) return nfserr; } +/* + * A write procedure can have a large argument, and a read procedure can + * have a large reply, but no NFSv2 or NFSv3 procedure has argument and + * reply that can both be larger than a page. The xdr code has taken + * advantage of this assumption to be a sloppy about bounds checking in + * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that + * problem, we enforce these assumptions here: + */ +static bool nfs_request_too_big(struct svc_rqst *rqstp, + struct svc_procedure *proc) +{ + /* + * The ACL code has more careful bounds-checking and is not + * susceptible to this problem: + */ + if (rqstp->rq_prog != NFS_PROGRAM) + return false; + /* + * Ditto NFSv4 (which can in theory have argument and reply both + * more than a page): + */ + if (rqstp->rq_vers >= 4) + return false; + /* The reply will be small, we're OK: */ + if (proc->pc_xdrressize > 0 && + proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE)) + return false; + + return rqstp->rq_arg.len > PAGE_SIZE; +} + int nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) { @@ -659,6 +690,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) rqstp->rq_vers, rqstp->rq_proc); proc = rqstp->rq_procinfo; + if (nfs_request_too_big(rqstp, proc)) { + dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers); + *statp = rpc_garbage_args; + return 1; + } /* * Give the xdr decoder a chance to change this if it wants * (necessary in the NFSv4.0 compound case) |