During review of the v2 of this series, Jeff suggested looking at
svc_max_payload() call sites for similar issues, and I found some.
I've included fixes for NFSv2 and NFSv3 operations in v3 of this
series.
The NFSv4 stack is different than NFSv2/3, so the simple fixes
proposed here are not appropriate there. For one thing, NFSv4 has
these op_rsize_bop helpers that use svc_max_payload() to estimate
the reply size -- but these are called well before
svcxdr_init_encode() has set rq_res.buflen. I'm still working on
fixes for those (including get/listxattr, getattr, read, readdir,
etc).
Changes since v2:
- Dropped the clean-up patches; will re-post those separately, later
- Added fixes for NFSv3 READ and for NFSv2 READ and READDIR
- Hopefully addressed a crash when @dircount is too large
Changes since v1:
- Dropped the xdr_buf_length() helper
- Replaced 7/7 with patch that cleans up an unneeded use of xdr_buf::len
- Dropped the checks for oversized RPC records
- Fixed narrow problem with NFSv2 and NFSv3 READDIR processing
---
Chuck Lever (6):
SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation
SUNRPC: Fix svcxdr_init_encode's buflen calculation
NFSD: Protect against send buffer overflow in NFSv2 READDIR
NFSD: Protect against send buffer overflow in NFSv3 READDIR
NFSD: Protect against send buffer overflow in NFSv2 READ
NFSD: Protect against send buffer overflow in NFSv3 READ
fs/nfsd/nfs3proc.c | 11 ++++++-----
fs/nfsd/nfsproc.c | 6 +++---
include/linux/sunrpc/svc.h | 19 +++++++++++++++----
3 files changed, 24 insertions(+), 12 deletions(-)
--
Chuck Lever
