Re: [PATCH v3 3/6] NFSD: Protect against send buffer overflow in NFSv2 READDIR

Jeff Layton <jlayton@xxxxxxxxxx> · Fri, 02 Sep 2022 09:09:01 -0400



On Thu, 2022-09-01 at 15:10 -0400, Chuck Lever wrote:
> Restore the previous limit on the @count argument to prevent a
> buffer overflow attack.
> 
> Fixes: 53b1119a6e50 ("NFSD: Fix READDIR buffer overflow")
> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
> ---
>  fs/nfsd/nfsproc.c |    5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c
> index 7381972f1677..ddb1902c0a18 100644
> --- a/fs/nfsd/nfsproc.c
> +++ b/fs/nfsd/nfsproc.c
> @@ -567,12 +567,11 @@ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp,
>  	struct xdr_buf *buf = &resp->dirlist;
>  	struct xdr_stream *xdr = &resp->xdr;
>  
> -	count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));
> -
>  	memset(buf, 0, sizeof(*buf));
>  
>  	/* Reserve room for the NULL ptr & eof flag (-2 words) */
> -	buf->buflen = count - XDR_UNIT * 2;
> +	buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), (u32)PAGE_SIZE);


> +	buf->buflen -= XDR_UNIT * 2;
>  	buf->pages = rqstp->rq_next_page;
>  	rqstp->rq_next_page++;
>  
> 
> 

Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>