On Jul 10, 2014, at 2:19 PM, J. Bruce Fields <bfields@xxxxxxxxxxxx> wrote: > On Thu, Jul 10, 2014 at 01:44:35PM -0400, Chuck Lever wrote: >> The server should comply with RFC 5667, > > Where's the relevant language? (I took a quick look but didn't see it.) Sorry, I listed the wrong RFC when I wrote the description of bug 246. It’s actually RFC 5666, section 3.7. > >> and handle WRITE payloads >> that may not have a zero pad on the end (XDR length round-up). >> >> Fixes: f34b9568 (The NFSv2/NFSv3 server does not handle zero...) >> BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=246 >> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx> >> --- >> >> fs/nfsd/nfs3xdr.c | 15 +-------------- >> fs/nfsd/nfsxdr.c | 16 +--------------- >> 2 files changed, 2 insertions(+), 29 deletions(-) >> >> diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c >> index e6c01e8..6074f6a 100644 >> --- a/fs/nfsd/nfs3xdr.c >> +++ b/fs/nfsd/nfs3xdr.c >> @@ -361,7 +361,7 @@ int >> nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, >> struct nfsd3_writeargs *args) >> { >> - unsigned int len, v, hdr, dlen; >> + unsigned int len, v, hdr; >> u32 max_blocksize = svc_max_payload(rqstp); >> >> p = decode_fh(p, &args->fh); >> @@ -383,19 +383,6 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, >> * bytes. >> */ >> hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; >> - dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len >> - - hdr; >> - /* >> - * Round the length of the data which was specified up to >> - * the next multiple of XDR units and then compare that >> - * against the length which was actually received. >> - * Note that when RPCSEC/GSS (for example) is used, the >> - * data buffer can be padded so dlen might be larger >> - * than required. It must never be smaller. >> - */ >> - if (dlen < XDR_QUADLEN(len)*4) >> - return 0; >> - >> if (args->count > max_blocksize) { >> args->count = max_blocksize; >> len = args->len = max_blocksize; > And then: > } > rqstp->rq_vec[0].iov_base = (void*)p; > rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr; > v = 0; > while (len > rqstp->rq_vec[v].iov_len) { > len -= rqstp->rq_vec[v].iov_len; > v++; > rqstp->rq_vec[v].iov_base = page_address(rqstp->rq_pages[v]); > rqstp->rq_vec[v].iov_len = PAGE_SIZE; > } > rqstp->rq_vec[v].iov_len = len; > args->vlen = v + 1; > return 1; > > So if len is allowed to be larger than the available space, then the rq_vec > will get filled with data beyond the end of the client's request. > > I believe the max_blocksize check will at least ensure that rq_pages[v] > is always still a valid page, so we shouldn't crash. But it could > contain random data, and writing that data to a file could disclose > information we don't mean to. > Am I missing something? The v2 case looks similar. > > So I think you just want to drop the round-up of len, not the whole > check. I’ll try that, thanks! > --b. > > >> diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c >> index 1ac306b..1f5347e 100644 >> --- a/fs/nfsd/nfsxdr.c >> +++ b/fs/nfsd/nfsxdr.c >> @@ -280,7 +280,7 @@ int >> nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, >> struct nfsd_writeargs *args) >> { >> - unsigned int len, hdr, dlen; >> + unsigned int len, hdr; >> int v; >> >> p = decode_fh(p, &args->fh); >> @@ -302,20 +302,6 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, >> * bytes. >> */ >> hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; >> - dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len >> - - hdr; >> - >> - /* >> - * Round the length of the data which was specified up to >> - * the next multiple of XDR units and then compare that >> - * against the length which was actually received. >> - * Note that when RPCSEC/GSS (for example) is used, the >> - * data buffer can be padded so dlen might be larger >> - * than required. It must never be smaller. >> - */ >> - if (dlen < XDR_QUADLEN(len)*4) >> - return 0; >> - >> rqstp->rq_vec[0].iov_base = (void*)p; >> rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr; >> v = 0; >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > :set > >> diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c >> index 1ac306b..1f5347e 100644 >> --- a/fs/nfsd/nfsxdr.c >> +++ b/fs/nfsd/nfsxdr.c >> @@ -280,7 +280,7 @@ int >> nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, >> struct nfsd_writeargs *args) >> { >> - unsigned int len, hdr, dlen; >> + unsigned int len, hdr; >> int v; >> >> p = decode_fh(p, &args->fh); >> @@ -302,20 +302,6 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, >> * bytes. >> */ >> hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; >> - dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len >> - - hdr; >> - >> - /* >> - * Round the length of the data which was specified up to >> - * the next multiple of XDR units and then compare that >> - * against the length which was actually received. >> - * Note that when RPCSEC/GSS (for example) is used, the >> - * data buffer can be padded so dlen might be larger >> - * than required. It must never be smaller. >> - */ >> - if (dlen < XDR_QUADLEN(len)*4) >> - return 0; >> - >> rqstp->rq_vec[0].iov_base = (void*)p; >> rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr; >> v = 0; >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Chuck Lever chuck[dot]lever[at]oracle[dot]com -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html