Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
---
fs/nfsd/nfs4xdr.c | 187 +++++++++++++++++++++++++++++++----------------------
1 file changed, 108 insertions(+), 79 deletions(-)
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 69ff666a5695..9a6116cee94b 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -307,17 +307,15 @@ nfsd4_decode_bitmap4(struct nfsd4_compoundargs *argp, u32 *bmval,
}
static __be32
-nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
- struct iattr *iattr, struct nfs4_acl **acl,
- struct xdr_netobj *label, int *umask)
+nfsd4_decode_fattr4(struct nfsd4_compoundargs *argp, u32 *bmval, u32 bmlen,
+ struct iattr *iattr, struct nfs4_acl **acl,
+ struct xdr_netobj *label, int *umask)
{
- int expected_len, len = 0;
- u32 dummy32;
- char *buf;
+ u32 dummy32, expected_len, len;
+ __be32 *p, status;
- DECODE_HEAD;
iattr->ia_valid = 0;
- status = nfsd4_decode_bitmap4(argp, bmval, 3);
+ status = nfsd4_decode_bitmap4(argp, bmval, bmlen);
if (status)
goto out;
@@ -329,21 +327,25 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
return nfserr_attrnotsupp;
}
- READ_BUF(4);
- expected_len = be32_to_cpup(p++);
+ if (xdr_stream_decode_u32(argp->xdr, &expected_len) < 0)
+ goto xdr_error;
+ len = 0;
if (bmval[0] & FATTR4_WORD0_SIZE) {
- READ_BUF(8);
- len += 8;
- p = xdr_decode_hyper(p, &iattr->ia_size);
+ p = xdr_inline_decode(argp->xdr, sizeof(__be64));
+ if (!p)
+ goto xdr_error;
+ len += sizeof(__be64);
+ xdr_decode_hyper(p, &iattr->ia_size);
iattr->ia_valid |= ATTR_SIZE;
}
if (bmval[0] & FATTR4_WORD0_ACL) {
u32 nace;
struct nfs4_ace *ace;
- READ_BUF(4); len += 4;
- nace = be32_to_cpup(p++);
+ if (xdr_stream_decode_u32(argp->xdr, &nace) < 0)
+ goto xdr_error;
+ len += sizeof(__be32);
if (nace > xdr_stream_remaining(argp->xdr) / sizeof(struct nfs4_ace))
/*
@@ -355,72 +357,83 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
*acl = svcxdr_tmpalloc(argp, nfs4_acl_bytes(nace));
if (*acl == NULL)
- return nfserr_jukebox;
+ goto nomem;
(*acl)->naces = nace;
for (ace = (*acl)->aces; ace < (*acl)->aces + nace; ace++) {
- READ_BUF(16); len += 16;
+ p = xdr_inline_decode(argp->xdr, sizeof(__be32) * 4);
+ if (!p)
+ goto xdr_error;
+ len += sizeof(__be32) * 4;
ace->type = be32_to_cpup(p++);
ace->flag = be32_to_cpup(p++);
ace->access_mask = be32_to_cpup(p++);
- dummy32 = be32_to_cpup(p++);
- READ_BUF(dummy32);
- len += XDR_QUADLEN(dummy32) << 2;
- READMEM(buf, dummy32);
- ace->whotype = nfs4_acl_get_whotype(buf, dummy32);
+ dummy32 = be32_to_cpup(p);
+ p = xdr_inline_decode(argp->xdr, dummy32);
+ if (!p)
+ goto xdr_error;
+ len += xdr_align_size(dummy32);
+ ace->whotype = nfs4_acl_get_whotype((char *)p, dummy32);
status = nfs_ok;
if (ace->whotype != NFS4_ACL_WHO_NAMED)
;
else if (ace->flag & NFS4_ACE_IDENTIFIER_GROUP)
status = nfsd_map_name_to_gid(argp->rqstp,
- buf, dummy32, &ace->who_gid);
+ (char *)p, dummy32, &ace->who_gid);
else
status = nfsd_map_name_to_uid(argp->rqstp,
- buf, dummy32, &ace->who_uid);
+ (char *)p, dummy32, &ace->who_uid);
if (status)
return status;
}
} else
*acl = NULL;
if (bmval[1] & FATTR4_WORD1_MODE) {
- READ_BUF(4);
- len += 4;
- iattr->ia_mode = be32_to_cpup(p++);
+ if (xdr_stream_decode_u32(argp->xdr, &dummy32) < 0)
+ goto xdr_error;
+ len += sizeof(__be32);
+ iattr->ia_mode = dummy32;
iattr->ia_mode &= (S_IFMT | S_IALLUGO);
iattr->ia_valid |= ATTR_MODE;
}
if (bmval[1] & FATTR4_WORD1_OWNER) {
- READ_BUF(4);
- len += 4;
- dummy32 = be32_to_cpup(p++);
- READ_BUF(dummy32);
- len += (XDR_QUADLEN(dummy32) << 2);
- READMEM(buf, dummy32);
- if ((status = nfsd_map_name_to_uid(argp->rqstp, buf, dummy32, &iattr->ia_uid)))
+ if (xdr_stream_decode_u32(argp->xdr, &dummy32) < 0)
+ goto xdr_error;
+ len += sizeof(__be32);
+ p = xdr_inline_decode(argp->xdr, dummy32);
+ if (!p)
+ goto xdr_error;
+ len += xdr_align_size(dummy32);
+ status = nfsd_map_name_to_uid(argp->rqstp, (char *)p, dummy32,
+ &iattr->ia_uid);
+ if (status)
return status;
iattr->ia_valid |= ATTR_UID;
}
if (bmval[1] & FATTR4_WORD1_OWNER_GROUP) {
- READ_BUF(4);
- len += 4;
- dummy32 = be32_to_cpup(p++);
- READ_BUF(dummy32);
- len += (XDR_QUADLEN(dummy32) << 2);
- READMEM(buf, dummy32);
- if ((status = nfsd_map_name_to_gid(argp->rqstp, buf, dummy32, &iattr->ia_gid)))
+ if (xdr_stream_decode_u32(argp->xdr, &dummy32) < 0)
+ goto xdr_error;
+ len += sizeof(__be32);
+ p = xdr_inline_decode(argp->xdr, dummy32);
+ if (!p)
+ goto xdr_error;
+ len += xdr_align_size(dummy32);
+ status = nfsd_map_name_to_gid(argp->rqstp, (char *)p, dummy32,
+ &iattr->ia_gid);
+ if (status)
return status;
iattr->ia_valid |= ATTR_GID;
}
if (bmval[1] & FATTR4_WORD1_TIME_ACCESS_SET) {
- READ_BUF(4);
- len += 4;
- dummy32 = be32_to_cpup(p++);
+ if (xdr_stream_decode_u32(argp->xdr, &dummy32) < 0)
+ goto xdr_error;
+ len += sizeof(__be32);
switch (dummy32) {
case NFS4_SET_TO_CLIENT_TIME:
- len += 12;
status = nfsd4_decode_nfstime4(argp, &iattr->ia_atime);
if (status)
return status;
+ len += sizeof(__be64) + sizeof(__be32);
iattr->ia_valid |= (ATTR_ATIME | ATTR_ATIME_SET);
break;
case NFS4_SET_TO_SERVER_TIME:
@@ -431,15 +444,15 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
}
}
if (bmval[1] & FATTR4_WORD1_TIME_MODIFY_SET) {
- READ_BUF(4);
- len += 4;
- dummy32 = be32_to_cpup(p++);
+ if (xdr_stream_decode_u32(argp->xdr, &dummy32) < 0)
+ goto xdr_error;
+ len += sizeof(__be32);
switch (dummy32) {
case NFS4_SET_TO_CLIENT_TIME:
- len += 12;
status = nfsd4_decode_nfstime4(argp, &iattr->ia_mtime);
if (status)
return status;
+ len += sizeof(__be64) + sizeof(__be32);
iattr->ia_valid |= (ATTR_MTIME | ATTR_MTIME_SET);
break;
case NFS4_SET_TO_SERVER_TIME:
@@ -453,40 +466,51 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
label->len = 0;
if (IS_ENABLED(CONFIG_NFSD_V4_SECURITY_LABEL) &&
bmval[2] & FATTR4_WORD2_SECURITY_LABEL) {
- READ_BUF(4);
- len += 4;
- dummy32 = be32_to_cpup(p++); /* lfs: we don't use it */
- READ_BUF(4);
- len += 4;
- dummy32 = be32_to_cpup(p++); /* pi: we don't use it either */
- READ_BUF(4);
- len += 4;
- dummy32 = be32_to_cpup(p++);
- READ_BUF(dummy32);
+ /* lfs is ignored */
+ if (xdr_stream_decode_u32(argp->xdr, &dummy32) < 0)
+ goto xdr_error;
+ len += sizeof(__be32);
+ /* pi is ignored */
+ if (xdr_stream_decode_u32(argp->xdr, &dummy32) < 0)
+ goto xdr_error;
+ len += sizeof(__be32);
+ if (xdr_stream_decode_u32(argp->xdr, &dummy32) < 0)
+ goto xdr_error;
if (dummy32 > NFS4_MAXLABELLEN)
return nfserr_badlabel;
- len += (XDR_QUADLEN(dummy32) << 2);
- READMEM(buf, dummy32);
+ len += sizeof(__be32);
+ p = xdr_inline_decode(argp->xdr, dummy32);
+ if (!p)
+ goto xdr_error;
+ len += xdr_align_size(dummy32);
label->len = dummy32;
- label->data = svcxdr_dupstr(argp, buf, dummy32);
+ label->data = svcxdr_dupstr(argp, p, dummy32);
if (!label->data)
- return nfserr_jukebox;
+ goto nomem;
}
if (bmval[2] & FATTR4_WORD2_MODE_UMASK) {
if (!umask)
goto xdr_error;
- READ_BUF(8);
- len += 8;
- dummy32 = be32_to_cpup(p++);
+ if (xdr_stream_decode_u32(argp->xdr, &dummy32) < 0)
+ goto xdr_error;
+ len += sizeof(__be32);
iattr->ia_mode = dummy32 & (S_IFMT | S_IALLUGO);
- dummy32 = be32_to_cpup(p++);
+ if (xdr_stream_decode_u32(argp->xdr, &dummy32) < 0)
+ goto xdr_error;
+ len += sizeof(__be32);
*umask = dummy32 & S_IRWXUGO;
iattr->ia_valid |= ATTR_MODE;
}
if (len != expected_len)
goto xdr_error;
+ status = nfs_ok;
- DECODE_TAIL;
+out:
+ return status;
+xdr_error:
+ return nfserr_bad_xdr;
+nomem:
+ return nfserr_jukebox;
}
static __be32 nfsd4_decode_clientid4(struct nfsd4_compoundargs *argp,
@@ -706,9 +730,10 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, struct nfsd4_create *create
&create->cr_namelen);
if (status)
goto out;
- status = nfsd4_decode_fattr(argp, create->cr_bmval, &create->cr_iattr,
- &create->cr_acl, &create->cr_label,
- &create->cr_umask);
+ status = nfsd4_decode_fattr4(argp, create->cr_bmval,
+ ARRAY_SIZE(create->cr_bmval),
+ &create->cr_iattr, &create->cr_acl,
+ &create->cr_label, &create->cr_umask);
if (status)
goto out;
@@ -965,9 +990,10 @@ nfsd4_decode_open(struct nfsd4_compoundargs *argp, struct nfsd4_open *open)
switch (open->op_createmode) {
case NFS4_CREATE_UNCHECKED:
case NFS4_CREATE_GUARDED:
- status = nfsd4_decode_fattr(argp, open->op_bmval,
- &open->op_iattr, &open->op_acl, &open->op_label,
- &open->op_umask);
+ status = nfsd4_decode_fattr4(argp, open->op_bmval,
+ ARRAY_SIZE(open->op_bmval),
+ &open->op_iattr, &open->op_acl,
+ &open->op_label, &open->op_umask);
if (status)
goto out;
break;
@@ -980,9 +1006,10 @@ nfsd4_decode_open(struct nfsd4_compoundargs *argp, struct nfsd4_open *open)
goto xdr_error;
READ_BUF(NFS4_VERIFIER_SIZE);
COPYMEM(open->op_verf.data, NFS4_VERIFIER_SIZE);
- status = nfsd4_decode_fattr(argp, open->op_bmval,
- &open->op_iattr, &open->op_acl, &open->op_label,
- &open->op_umask);
+ status = nfsd4_decode_fattr4(argp, open->op_bmval,
+ ARRAY_SIZE(open->op_bmval),
+ &open->op_iattr, &open->op_acl,
+ &open->op_label, &open->op_umask);
if (status)
goto out;
break;
@@ -1220,8 +1247,10 @@ nfsd4_decode_setattr(struct nfsd4_compoundargs *argp, struct nfsd4_setattr *seta
status = nfsd4_decode_stateid4(argp, &setattr->sa_stateid);
if (status)
return status;
- return nfsd4_decode_fattr(argp, setattr->sa_bmval, &setattr->sa_iattr,
- &setattr->sa_acl, &setattr->sa_label, NULL);
+ return nfsd4_decode_fattr4(argp, setattr->sa_bmval,
+ ARRAY_SIZE(setattr->sa_bmval),
+ &setattr->sa_iattr, &setattr->sa_acl,
+ &setattr->sa_label, NULL);
}
static __be32
