Re: NFS client can crash server due to overrun in nfsd4_decode_bitmap4()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Nov 13, 2021 at 09:31:40PM +0000, Chuck Lever III wrote:
> This allows the client to send bitmaps larger than bmval[],
> as the old decoder did,

Oh, thanks, right, I guess rejecting too-large bitmaps outright might
cause compatibility problems with future implementations.

(Hm, ideally, shouldn't we be checking whether bits are set beyond where
we expect so that e.g. we can return NFS4ERR_ATTRNOTSUPP on operations
that set attributes?  Perhaps that's more than is necessary; it's a
separate issue, anyway.)

--b.

> and ensures that decode_bitmap()
> cannot write farther than @bmlen into the bmval array.
> 
> 
> > 		return nfserr_bad_xdr;
> > 	p = xdr_inline_decode(argp->xdr, count << 2);
> > 	if (!p)
> 
> --
> Chuck Lever
> 
> 



[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux