Commit 7aedc687 authored by Trond Myklebust's avatar Trond Myklebust
Browse files

NFSv4.2: Deal with potential READ_PLUS data extent buffer overflow 



If the server returns more data than we have buffer space for, then
we need to truncate and exit early.

Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
parent 503b934a

fs/nfs/nfs42xdr.c

+7 −2
Original line number Diff line number Diff line
@@ -1026,6 +1026,7 @@ static int decode_deallocate(struct xdr_stream *xdr, struct nfs42_falloc_res *re 
}



static int decode_read_plus_data(struct xdr_stream *xdr,

				 struct nfs_pgio_args *args,

				 struct nfs_pgio_res *res)

{

	uint32_t count, recvd;
@@ -1041,8 +1042,12 @@ static int decode_read_plus_data(struct xdr_stream *xdr, 
	recvd = xdr_align_data(xdr, res->count, xdr_align_size(count));

	if (recvd > count)

		recvd = count;

	if (res->count + recvd > args->count) {

		if (args->count > res->count)

			res->count += args->count - res->count;

		return 1;

	}

	res->count += recvd;



	if (count > recvd)

		return 1;

	return 0;
@@ -1119,7 +1124,7 @@ static int decode_read_plus(struct xdr_stream *xdr, struct nfs_pgio_res *res) 


		type = be32_to_cpup(p++);

		if (type == NFS4_CONTENT_DATA)

			status = decode_read_plus_data(xdr, res);

			status = decode_read_plus_data(xdr, args, res);

		else if (type == NFS4_CONTENT_HOLE)

			status = decode_read_plus_hole(xdr, args, res, &eof);

		else

CRA Git | Maintained and supported by SUSTech CRA and CCSE