From: "J. Bruce Fields" <bfields@redhat.com>
To: linux-nfs@vger.kernel.org
Cc: "J. Bruce Fields" <bfields@redhat.com>, stable@kernel.org
Subject: [PATCH 3/7] svcrpc: fix handling of too-short rpc's
Date: Wed, 26 Jun 2013 15:21:23 -0400 [thread overview]
Message-ID: <1372274488-4752-4-git-send-email-bfields@redhat.com> (raw)
In-Reply-To: <1372274488-4752-1-git-send-email-bfields@redhat.com>
From: "J. Bruce Fields" <bfields@redhat.com>
If we detect that an rpc is too short, we abort and close the
connection. Except, there's a bug here: we're leaving sk_datalen
nonzero without leaving any pages in the sk_pages array. The most
likely result of the inconsistency is a subsequent crash in
svc_tcp_clear_pages.
Also demote the BUG_ON in svc_tcp_clear_pages to a WARN.
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
net/sunrpc/svcsock.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index 0f679df..df74919 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -917,7 +917,10 @@ static void svc_tcp_clear_pages(struct svc_sock *svsk)
len = svsk->sk_datalen;
npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
for (i = 0; i < npages; i++) {
- BUG_ON(svsk->sk_pages[i] == NULL);
+ if (svsk->sk_pages[i] == NULL) {
+ WARN_ON_ONCE(1);
+ continue;
+ }
put_page(svsk->sk_pages[i]);
svsk->sk_pages[i] = NULL;
}
@@ -1092,8 +1095,10 @@ static int svc_tcp_recvfrom(struct svc_rqst *rqstp)
goto err_noclose;
}
- if (svc_sock_reclen(svsk) < 8)
+ if (svc_sock_reclen(svsk) < 8) {
+ svsk->sk_datalen = 0;
goto err_delete; /* client is nuts. */
+ }
rqstp->rq_arg.len = svsk->sk_datalen;
rqstp->rq_arg.page_base = 0;
--
1.8.1.4
next prev parent reply other threads:[~2013-06-26 19:21 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-26 19:21 [PATCH 0/7] miscellaneous nfsd bugfixes J. Bruce Fields
2013-06-26 19:21 ` [PATCH 1/7] nfsd4: fix decoding across page boundaries J. Bruce Fields
2013-06-26 19:21 ` [PATCH 2/7] nfsd4: minor read_buf cleanup J. Bruce Fields
2013-06-26 19:21 ` J. Bruce Fields [this message]
2013-06-26 19:21 ` [PATCH 4/7] svcrpc: don't error out on small tcp fragment J. Bruce Fields
2013-06-26 19:21 ` [PATCH 5/7] nfsd4: delegation-based open reclaims should bypass permissions J. Bruce Fields
2013-06-26 19:21 ` [PATCH 6/7] nfsd4: do not throw away 4.1 lock state on last unlock J. Bruce Fields
2013-06-26 19:21 ` [PATCH 7/7] nfsd4: return delegation immediately if lease fails J. Bruce Fields
2013-06-26 19:27 ` [PATCH 0/7] miscellaneous nfsd bugfixes J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1372274488-4752-4-git-send-email-bfields@redhat.com \
--to=bfields@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.