| Message ID | 1384533481-2254-1-git-send-email-dros@netapp.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Nov 15, 2013, at 11:38 AM, Weston Andros Adamson <dros@netapp.com> wrote: > decode_bitmap will only decode up to three bitmaps. If the xdr buffer > has more than three bitmaps, return -EIO here instead of bailing out in > a later xdr decode. > > Signed-off-by: Weston Andros Adamson <dros@netapp.com> > --- > > This is related to my "NFSv4: fix getacl ERANGE for some ACL buffer sizes" > patch - I noticed that even though we'll only ever parse 3 bitmaps, we don't > error out correctly if more are sent. > > This condition is probably never hit, but if it ever is, it'd be nice to > have the code error out where the problem actually occurred. > > fs/nfs/nfs4xdr.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c > index 5be2868..3866a69 100644 > --- a/fs/nfs/nfs4xdr.c > +++ b/fs/nfs/nfs4xdr.c > @@ -3146,6 +3146,9 @@ static int decode_attr_bitmap(struct xdr_stream *xdr, uint32_t *bitmap) > goto out_overflow; > bmlen = be32_to_cpup(p); > > + if (unlikely(bmlen > 3)) > + goto out_overflow; > + Nit: Using a naked integer should be avoid, if we can. Is there somewhere in the code that documents the "we only handle up t 3 bitmaps" constraint? > bitmap[0] = bitmap[1] = bitmap[2] = 0; > p = xdr_inline_decode(xdr, (bmlen << 2)); > if (unlikely(!p)) > -- > 1.8.3.1 (Apple Git-46) > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
On Nov 15, 2013, at 12:05 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote: > On Fri, 2013-11-15 at 12:00 -0500, Trond Myklebust wrote: >> On Fri, 2013-11-15 at 11:38 -0500, Weston Andros Adamson wrote: >>> decode_bitmap will only decode up to three bitmaps. If the xdr buffer >>> has more than three bitmaps, return -EIO here instead of bailing out in >>> a later xdr decode. >>> >> >> No. decode_bitmap will only _save_ 3 words in the bitmap[] argment, but >> it will decode arbitrary sized bitmaps: >> >> p = xdr_inline_decode(xdr, (bmlen << 2)); >> > > That said, we should probably check that the server isn't setting those > bitmap words to any non-zero values. That would be a reason to return > EIO. Why wouldn't the client simply warn and ignore the extraneous data?
On Nov 15, 2013, at 12:10 PM, Myklebust, Trond <Trond.Myklebust@netapp.com> wrote: > On Fri, 2013-11-15 at 12:07 -0500, Chuck Lever wrote: >> On Nov 15, 2013, at 12:05 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote: >> >>> On Fri, 2013-11-15 at 12:00 -0500, Trond Myklebust wrote: >>>> On Fri, 2013-11-15 at 11:38 -0500, Weston Andros Adamson wrote: >>>>> decode_bitmap will only decode up to three bitmaps. If the xdr buffer >>>>> has more than three bitmaps, return -EIO here instead of bailing out in >>>>> a later xdr decode. >>>>> >>>> >>>> No. decode_bitmap will only _save_ 3 words in the bitmap[] argment, but >>>> it will decode arbitrary sized bitmaps: >>>> >>>> p = xdr_inline_decode(xdr, (bmlen << 2)); >>>> Oh, yeah. >>> >>> That said, we should probably check that the server isn't setting those >>> bitmap words to any non-zero values. That would be a reason to return >>> EIO. Ok, I’ll rework this. -dros >> >> Why wouldn't the client simply warn and ignore the extraneous data? >> > > ...because unless the GETATTR is the very last operation, we'd end up > failing to decode things correctly. Anyway, a server that returns > attributes that we haven't requested must clearly be borken. It's > definitely violating the spec. > > -- > Trond Myklebust > Linux NFS client maintainer > > NetApp > Trond.Myklebust@netapp.com > www.netapp.com -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Nov 15, 2013, at 12:10 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote: > On Fri, 2013-11-15 at 12:07 -0500, Chuck Lever wrote: >> On Nov 15, 2013, at 12:05 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote: >> >>> On Fri, 2013-11-15 at 12:00 -0500, Trond Myklebust wrote: >>>> On Fri, 2013-11-15 at 11:38 -0500, Weston Andros Adamson wrote: >>>>> decode_bitmap will only decode up to three bitmaps. If the xdr buffer >>>>> has more than three bitmaps, return -EIO here instead of bailing out in >>>>> a later xdr decode. >>>>> >>>> >>>> No. decode_bitmap will only _save_ 3 words in the bitmap[] argment, but >>>> it will decode arbitrary sized bitmaps: >>>> >>>> p = xdr_inline_decode(xdr, (bmlen << 2)); >>>> >>> >>> That said, we should probably check that the server isn't setting those >>> bitmap words to any non-zero values. That would be a reason to return >>> EIO. >> >> Why wouldn't the client simply warn and ignore the extraneous data? >> > > ...because unless the GETATTR is the very last operation, we'd end up > failing to decode things correctly. Surely that's only if the returned bitmap length doesn't match the number of bitmap words returned. The server can return a properly encoded result without overwriting the next operation in the compound, can't it? > Anyway, a server that returns > attributes that we haven't requested must clearly be borken. It's > definitely violating the spec. Definitely, but "be lenient in what you accept." The reason I bring this up is that we had exactly this problem with NFSv4.2, where the third bitmap word was added. Anyway, just an observation.
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c index 5be2868..3866a69 100644 --- a/fs/nfs/nfs4xdr.c +++ b/fs/nfs/nfs4xdr.c @@ -3146,6 +3146,9 @@ static int decode_attr_bitmap(struct xdr_stream *xdr, uint32_t *bitmap) goto out_overflow; bmlen = be32_to_cpup(p); + if (unlikely(bmlen > 3)) + goto out_overflow; + bitmap[0] = bitmap[1] = bitmap[2] = 0; p = xdr_inline_decode(xdr, (bmlen << 2)); if (unlikely(!p))
decode_bitmap will only decode up to three bitmaps. If the xdr buffer has more than three bitmaps, return -EIO here instead of bailing out in a later xdr decode. Signed-off-by: Weston Andros Adamson <dros@netapp.com> --- This is related to my "NFSv4: fix getacl ERANGE for some ACL buffer sizes" patch - I noticed that even though we'll only ever parse 3 bitmaps, we don't error out correctly if more are sent. This condition is probably never hit, but if it ever is, it'd be nice to have the code error out where the problem actually occurred. fs/nfs/nfs4xdr.c | 3 +++ 1 file changed, 3 insertions(+)