nfs: nfs client decode fslocations oops if server cheating it

Commit Message

fanchaoting March 25, 2013, 10:57 a.m. UTC

now nfs server will return wrong nlocations,nservers, ncomponents to the client.
for example if the nlocations is NFS4_FS_LOCATIONS_MAXENTRIES, the nfs client
will decode oops when run "struct nfs4_fs_location *loc = &res->locations[res->nlocations]"

Signed-off-by: fanchaoting<fanchaoting@cn.fujitsu.com>
Reviewed-by: chendt.fnst@cn.fujitsu.com

---
 fs/nfs/nfs4xdr.c |   13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

Patch

diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index e3edda5..25f1769 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -3496,6 +3496,10 @@  static int decode_pathname(struct xdr_stream *xdr, struct nfs4_pathname *path)
 	n = be32_to_cpup(p);
 	if (n == 0)
 		goto root_path;
+	if (n > NFS4_PATHNAME_MAXCOMPONENTS) {
+		dprintk("%s: server cheating client ncomponents :%d\n", __func__, n);
+		goto out_eio;
+	}
 	dprintk("pathname4: ");
 	path->ncomponents = 0;
 	while (path->ncomponents < n) {
@@ -3557,6 +3561,10 @@  static int decode_attr_fs_locations(struct xdr_stream *xdr, uint32_t *bitmap, st
 	n = be32_to_cpup(p);
 	if (n <= 0)
 		goto out_eio;
+	if (n > NFS4_FS_LOCATIONS_MAXENTRIES) {
+		dprintk("%s: server cheating client nlocations :%d\n", __func__, n);
+		goto out_eio;
+	}
 	res->nlocations = 0;
 	while (res->nlocations < n) {
 		u32 m;
@@ -3566,7 +3574,10 @@  static int decode_attr_fs_locations(struct xdr_stream *xdr, uint32_t *bitmap, st
 		if (unlikely(!p))
 			goto out_overflow;
 		m = be32_to_cpup(p);
-
+		if (m > NFS4_FS_LOCATION_MAXSERVERS) {
+			dprintk("%s: server cheating client nservers :%d\n", __func__, m);
+			goto out_eio;
+		}
 		loc->nservers = 0;
 		dprintk("%s: servers:\n", __func__);
 		while (loc->nservers < m) {