@@ -66,13 +66,30 @@ nfsd3_proc_setattr(struct svc_rqst *rqstp)
{
struct nfsd3_sattrargs *argp = rqstp->rq_argp;
struct nfsd3_attrstat *resp = rqstp->rq_resp;
+ struct iattr *iap = &argp->attrs;
dprintk("nfsd: SETATTR(3) %s\n",
SVCFH_fmt(&argp->fh));
fh_copy(&resp->fh, &argp->fh);
- resp->status = nfsd_setattr(rqstp, &resp->fh, &argp->attrs,
+
+ if (iap->ia_valid & ATTR_SIZE) {
+ struct super_block *sb;
+
+ resp->status = fh_verify(rqstp, &resp->fh, S_IFREG,
+ NFSD_MAY_SATTR|NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE);
+ if (resp->status != nfs_ok)
+ goto out;
+
+ resp->status = nfserr_inval;
+ sb = resp->fh.fh_dentry->d_sb;
+ if (iap->ia_size < 0 || iap->ia_size > sb->s_maxbytes)
+ goto out;
+ }
+
+ resp->status = nfsd_setattr(rqstp, &resp->fh, iap,
argp->check_guard, argp->guardtime);
+out:
return rpc_success;
}
@@ -254,7 +254,7 @@ svcxdr_decode_sattr3(struct svc_rqst *rqstp, struct xdr_stream *xdr,
if (xdr_stream_decode_u64(xdr, &newsize) < 0)
return false;
iap->ia_valid |= ATTR_SIZE;
- iap->ia_size = min_t(u64, newsize, NFS_OFFSET_MAX);
+ iap->ia_size = newsize;
}
if (xdr_stream_decode_u32(xdr, &set_it) < 0)
return false;
iattr::ia_size is a loff_t, so the XDR decoders must be careful to deal with incoming client size values that are larger than s64_max. VFS size comparisons (like in inode_newsize_ok) should now work as expected -- it returns -EFBIG if the new size is larger than the underlying filesystem's s_maxbytes. However, RFC 1813 permits only WRITE to return NFS3ERR_FBIG. Add an extra check to prevent NFSv3 SETATTR from returning FBIG. Other NFSv3 procedures that take sattr3 arguments need to be audited for this issue. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> --- fs/nfsd/nfs3proc.c | 19 ++++++++++++++++++- fs/nfsd/nfs3xdr.c | 2 +- 2 files changed, 19 insertions(+), 2 deletions(-)