9p: ensure logical size fits allocated size

all buffers used to be msize big, but the size can now vary based on message type and arguments. Adjut p9_check_error() to check the logical size (request payload) fits within the allocated size (capacity) rather than msize. Note that for zc rpc, the capacity doesn't match the actual allowed size, we need to add 'inlen' on top... Except transports can adjust it slightly to fit hardware needs... So this doesn't really make sense. Transports normally all check this when the packet is being read, but might as well stay coherent. Also log allocated size in prepare req. Link: https://lkml.kernel.org/r/20221118135542.63400-2-asmadeus@codewreck.org Fixes: 60ece08 ("net/9p: allocate appropriate reduced message buffers") Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
martinetd · Nov 19, 2022 · 162015a · 162015a
1 parent ebd09c8
commit 162015a
Showing 1 changed file with 10 additions and 8 deletions.
diff --git a/net/9p/client.c b/net/9p/client.c
@@ -500,24 +500,25 @@ EXPORT_SYMBOL(p9_parse_header);
  * p9_check_errors - check 9p packet for error return and process it
  * @c: current client instance
  * @req: request to parse and check for error conditions
+ * @inlen: additional input buffer length for zc rpc
  *
  * returns error code if one is discovered, otherwise returns 0
  *
  * this will have to be more complicated if we have multiple
  * error packet types
  */
 
-static int p9_check_errors(struct p9_client *c, struct p9_req_t *req)
+static int p9_check_errors(struct p9_client *c, struct p9_req_t *req, size_t inlen)
 {
 	s8 type;
 	int err;
 	int ecode;
 
 	err = p9_parse_header(&req->rc, NULL, &type, NULL, 0);
-	if (req->rc.size >= c->msize) {
+	if (req->rc.size > req->rc.capacity + inlen) {
 		p9_debug(P9_DEBUG_ERROR,
-			 "requested packet size too big: %d\n",
-			 req->rc.size);
+			 "requested packet size too big: %d does not fit %ld\n",
+			 req->rc.size, req->rc.capacity);
 		return -EIO;
 	}
 	/* dump the response from server
@@ -617,8 +618,6 @@ static struct p9_req_t *p9_client_prepare_req(struct p9_client *c,
 	struct p9_req_t *req;
 	va_list apc;
 
-	p9_debug(P9_DEBUG_MUX, "client %p op %d\n", c, type);
-
 	/* we allow for any status other than disconnected */
 	if (c->status == Disconnected)
 		return ERR_PTR(-EIO);
@@ -633,6 +632,9 @@ static struct p9_req_t *p9_client_prepare_req(struct p9_client *c,
 	if (IS_ERR(req))
 		return req;
 
+	p9_debug(P9_DEBUG_MUX, "client %p op %d, buffer sizes %zd / %zd\n",
+		 c, type, req->tc.capacity, req->rc.capacity);
+
 	/* marshall the data */
 	p9pdu_prepare(&req->tc, req->tc.tag, type);
 	err = p9pdu_vwritef(&req->tc, c->proto_version, fmt, ap);
@@ -736,7 +738,7 @@ p9_client_rpc(struct p9_client *c, int8_t type, const char *fmt, ...)
 	if (err < 0)
 		goto reterr;
 
-	err = p9_check_errors(c, req);
+	err = p9_check_errors(c, req, 0);
 	trace_9p_client_res(c, type, req->rc.tag, err);
 	if (!err)
 		return req;
@@ -818,7 +820,7 @@ static struct p9_req_t *p9_client_zc_rpc(struct p9_client *c, int8_t type,
 	if (err < 0)
 		goto reterr;
 
-	err = p9_check_errors(c, req);
+	err = p9_check_errors(c, req, inlen);
 	trace_9p_client_res(c, type, req->rc.tag, err);
 	if (!err)
 		return req;