I've gotten push-back on the idea of rejecting RPC messages where
the RPC record size is larger than the RPC message itself. Therefore
that concept has been dropped from this series.
I've now been able to reproduce, exactly as it was described, a
recently-reported problem with READDIR handling. I've fixed that and
also determined that no other legacy NFS operations appear to be
vulnerable to this particular issue (within the Linux NFS server).
Changes since v1:
- Dropped the xdr_buf_length() helper
- Replaced 7/7 with patch that cleans up an unneeded use of xdr_buf::len
- Dropped the checks for oversized RPC records
- Fixed narrow problem with NFSv2 and NFSv3 READDIR processing
---
Chuck Lever (7):
SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation
SUNRPC: Fix svcxdr_init_encode's buflen calculation
NFSD: Protect against READDIR send buffer overflow
NFSD: Use xdr_inline_decode() to decode NFSv3 symlinks
NFSD: Clean up WRITE arg decoders
SUNRPC: Fix typo in xdr_buf_subsegment's kdoc comment
NFSD: Clean up nfs4svc_encode_compoundres()
fs/nfsd/nfs3proc.c | 5 ++---
fs/nfsd/nfs3xdr.c | 18 ++++--------------
fs/nfsd/nfs4xdr.c | 4 ----
fs/nfsd/nfsproc.c | 5 ++---
fs/nfsd/nfsxdr.c | 4 +---
include/linux/sunrpc/svc.h | 19 +++++++++++++++----
net/sunrpc/xdr.c | 2 +-
7 files changed, 25 insertions(+), 32 deletions(-)
--
Chuck Lever
