| Message ID | 166205940565.1435.7170548905174362083.stgit@manet.1015granger.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fixes for server-side xdr_stream overhaul | expand |
On Thu, 2022-09-01 at 15:10 -0400, Chuck Lever wrote: > Restore the previous limit on the @count argument to prevent a > buffer overflow attack. > > Fixes: 53b1119a6e50 ("NFSD: Fix READDIR buffer overflow") > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> > --- > fs/nfsd/nfsproc.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c > index 7381972f1677..ddb1902c0a18 100644 > --- a/fs/nfsd/nfsproc.c > +++ b/fs/nfsd/nfsproc.c > @@ -567,12 +567,11 @@ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp, > struct xdr_buf *buf = &resp->dirlist; > struct xdr_stream *xdr = &resp->xdr; > > - count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp)); > - > memset(buf, 0, sizeof(*buf)); > > /* Reserve room for the NULL ptr & eof flag (-2 words) */ > - buf->buflen = count - XDR_UNIT * 2; > + buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), (u32)PAGE_SIZE); > + buf->buflen -= XDR_UNIT * 2; > buf->pages = rqstp->rq_next_page; > rqstp->rq_next_page++; > > > Reviewed-by: Jeff Layton <jlayton@kernel.org>
diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c index 7381972f1677..ddb1902c0a18 100644 --- a/fs/nfsd/nfsproc.c +++ b/fs/nfsd/nfsproc.c @@ -567,12 +567,11 @@ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp, struct xdr_buf *buf = &resp->dirlist; struct xdr_stream *xdr = &resp->xdr; - count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp)); - memset(buf, 0, sizeof(*buf)); /* Reserve room for the NULL ptr & eof flag (-2 words) */ - buf->buflen = count - XDR_UNIT * 2; + buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), (u32)PAGE_SIZE); + buf->buflen -= XDR_UNIT * 2; buf->pages = rqstp->rq_next_page; rqstp->rq_next_page++;
Restore the previous limit on the @count argument to prevent a buffer overflow attack. Fixes: 53b1119a6e50 ("NFSD: Fix READDIR buffer overflow") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> --- fs/nfsd/nfsproc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)