On Thu, 2024-01-25 at 07:45 -0700, Jorge Mora wrote:
> If the XDR buffer is not large enough to fit all attributes
> and the remaining bytes left in the XDR buffer (xdrleft) is
> equal to the number of bytes for the current attribute, then
> the loop will prematurely exit without setting eof to FALSE.
> Also in this case, adding the eof flag to the buffer will
> make the reply 4 bytes larger than lsxa_maxcount.
>
> Need to check if there are enough bytes to fit not only the
> next attribute name but also the eof as well.
>
> Fixes: 23e50fe3a5e6 ("nfsd: implement the xattr functions and en/decode logic")
> Signed-off-by: Jorge Mora <mora@xxxxxxxxxx>
> ---
> fs/nfsd/nfs4xdr.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
> index 17e6404f4296..26993bf368fc 100644
> --- a/fs/nfsd/nfs4xdr.c
> +++ b/fs/nfsd/nfs4xdr.c
> @@ -5182,7 +5182,8 @@ nfsd4_encode_listxattrs(struct nfsd4_compoundres *resp, __be32 nfserr,
>
> slen -= XATTR_USER_PREFIX_LEN;
> xdrlen = 4 + ((slen + 3) & ~3);
> - if (xdrlen > xdrleft) {
> + /* Check if both entry and eof can fit in the XDR buffer */
> + if (xdrlen + 4 > xdrleft) {
> if (count == 0) {
> /*
> * Can't even fit the first attribute name.
Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>
