Skip to content
Permalink
Browse files

nfsd: stricter decoding of write-like NFSv2/v3 ops

The NFSv2/v3 code does not systematically check whether we decode past
the end of the buffer.  This generally appears to be harmless, but there
are a few places where we do arithmetic on the pointers involved and
don't account for the possibility that a length could be negative.  Add
checks to catch these.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
  • Loading branch information...
J. Bruce Fields
J. Bruce Fields committed Apr 21, 2017
1 parent db44bac commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309
Showing with 6 additions and 0 deletions.
  1. +4 −0 fs/nfsd/nfs3xdr.c
  2. +2 −0 fs/nfsd/nfsxdr.c
@@ -369,6 +369,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
args->count = ntohl(*p++);
args->stable = ntohl(*p++);
len = args->len = ntohl(*p++);
if ((void *)p > head->iov_base + head->iov_len)
return 0;
/*
* The count must equal the amount of data passed.
*/
@@ -472,6 +474,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, __be32 *p,
/* first copy and check from the first page */
old = (char*)p;
vec = &rqstp->rq_arg.head[0];
if ((void *)old > vec->iov_base + vec->iov_len)
return 0;
avail = vec->iov_len - (old - (char*)vec->iov_base);
while (len && avail && *old) {
*new++ = *old++;
@@ -302,6 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
* bytes.
*/
hdr = (void*)p - head->iov_base;
if (hdr > head->iov_len)
return 0;
dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;

/*

0 comments on commit 13bf9fb

Please sign in to comment.
You can’t perform that action at this time.