According to RFC5661, 18.36.3,
"if the client selects a value for ca_maxresponsesize such that
a replier on a channel could never send a response,the server
SHOULD return NFS4ERR_TOOSMALL in the CREATE_SESSION reply."
This patch let server error out when client sets maxreq_sz less than
SEQUENCE request size, and maxresp_sz less than a SEQUENCE reply size.
Signed-off-by: Mi Jinlong <mijinlong@xxxxxxxxxxxxxx>
---
fs/nfsd/nfs4xdr.c | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index c6766af..8983d03 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -131,6 +131,14 @@ xdr_error: \
} \
} while (0)
+#define op_decode_hdr_size (1)
+#define op_encode_hdr_size (2)
+
+#define decode_sequence_size (op_decode_hdr_size + \
+ XDR_QUADLEN(NFS4_MAX_SESSIONID_LEN) + 4)
+#define encode_sequence_size (op_encode_hdr_size + \
+ XDR_QUADLEN(NFS4_MAX_SESSIONID_LEN) + 5)
+
static __be32 *read_buf(struct nfsd4_compoundargs *argp, u32 nbytes)
{
/* We want more bytes than seem to be available.
@@ -1154,7 +1162,17 @@ nfsd4_decode_create_session(struct nfsd4_compoundargs *argp,
READ_BUF(28);
READ32(dummy); /* headerpadsz is always 0 */
READ32(sess->fore_channel.maxreq_sz);
+ if (sess->fore_channel.maxreq_sz < decode_sequence_size) {
+ status = nfserr_toosmall;
+ goto out;
+ }
+
READ32(sess->fore_channel.maxresp_sz);
+ if (sess->fore_channel.maxresp_sz < encode_sequence_size) {
+ status = nfserr_toosmall;
+ goto out;
+ }
+
READ32(sess->fore_channel.maxresp_cached);
READ32(sess->fore_channel.maxops);
READ32(sess->fore_channel.maxreqs);
--
1.7.4.5
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
