From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Trond Myklebust <Trond.Myklebust@netapp.com>,
Neil Brown <neilb@suse.de>, Oliver Pinter <oliver.pntr@gmail.com>
Subject: [patch 18/23] NFS: Fix an Oops in encode_lookup()
Date: Fri, 22 Feb 2008 13:40:50 -0800 [thread overview]
Message-ID: <20080222214050.GS8686@suse.de> (raw)
In-Reply-To: <20080222213927.GA8686@suse.de>
[-- Attachment #1: nfs-fix-an-oops-in-encode_lookup.patch --]
[-- Type: text/plain, Size: 3809 bytes --]
2.6.22-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Trond Myklebust <Trond.Myklebust@netapp.com>
mainline: 54af3bb543c071769141387a42deaaab5074da55
It doesn't look as if the NFS file name limit is being initialised correctly
in the struct nfs_server. Make sure that we limit whatever is being set in
nfs_probe_fsinfo() and nfs_init_server().
Also ensure that readdirplus and nfs4_path_walk respect our file name
limits.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Neil Brown <neilb@suse.de>
CC: Oliver Pinter <oliver.pntr@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/nfs/client.c | 29 +++++++++++++++++++----------
fs/nfs/dir.c | 2 ++
fs/nfs/getroot.c | 3 +++
3 files changed, 24 insertions(+), 10 deletions(-)
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -611,16 +611,6 @@ static int nfs_init_server(struct nfs_se
server->namelen = data->namlen;
/* Create a client RPC handle for the NFSv3 ACL management interface */
nfs_init_server_aclclient(server);
- if (clp->cl_nfsversion == 3) {
- if (server->namelen == 0 || server->namelen > NFS3_MAXNAMLEN)
- server->namelen = NFS3_MAXNAMLEN;
- if (!(data->flags & NFS_MOUNT_NORDIRPLUS))
- server->caps |= NFS_CAP_READDIRPLUS;
- } else {
- if (server->namelen == 0 || server->namelen > NFS2_MAXNAMLEN)
- server->namelen = NFS2_MAXNAMLEN;
- }
-
dprintk("<-- nfs_init_server() = 0 [new %p]\n", clp);
return 0;
@@ -820,6 +810,16 @@ struct nfs_server *nfs_create_server(con
error = nfs_probe_fsinfo(server, mntfh, &fattr);
if (error < 0)
goto error;
+ if (server->nfs_client->rpc_ops->version == 3) {
+ if (server->namelen == 0 || server->namelen > NFS3_MAXNAMLEN)
+ server->namelen = NFS3_MAXNAMLEN;
+ if (!(data->flags & NFS_MOUNT_NORDIRPLUS))
+ server->caps |= NFS_CAP_READDIRPLUS;
+ } else {
+ if (server->namelen == 0 || server->namelen > NFS2_MAXNAMLEN)
+ server->namelen = NFS2_MAXNAMLEN;
+ }
+
if (!(fattr.valid & NFS_ATTR_FATTR)) {
error = server->nfs_client->rpc_ops->getattr(server, mntfh, &fattr);
if (error < 0) {
@@ -1010,6 +1010,9 @@ struct nfs_server *nfs4_create_server(co
if (error < 0)
goto error;
+ if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
+ server->namelen = NFS4_MAXNAMLEN;
+
BUG_ON(!server->nfs_client);
BUG_ON(!server->nfs_client->rpc_ops);
BUG_ON(!server->nfs_client->rpc_ops->file_inode_ops);
@@ -1082,6 +1085,9 @@ struct nfs_server *nfs4_create_referral_
if (error < 0)
goto error;
+ if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
+ server->namelen = NFS4_MAXNAMLEN;
+
dprintk("Referral FSID: %llx:%llx\n",
(unsigned long long) server->fsid.major,
(unsigned long long) server->fsid.minor);
@@ -1141,6 +1147,9 @@ struct nfs_server *nfs_clone_server(stru
if (error < 0)
goto out_free_server;
+ if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
+ server->namelen = NFS4_MAXNAMLEN;
+
dprintk("Cloned FSID: %llx:%llx\n",
(unsigned long long) server->fsid.major,
(unsigned long long) server->fsid.minor);
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1162,6 +1162,8 @@ static struct dentry *nfs_readdir_lookup
}
if (!desc->plus || !(entry->fattr->valid & NFS_ATTR_FATTR))
return NULL;
+ if (name.len > NFS_SERVER(dir)->namelen)
+ return NULL;
/* Note: caller is already holding the dir->i_mutex! */
dentry = d_alloc(parent, &name);
if (dentry == NULL)
--- a/fs/nfs/getroot.c
+++ b/fs/nfs/getroot.c
@@ -175,6 +175,9 @@ next_component:
path++;
name.len = path - (const char *) name.name;
+ if (name.len > NFS4_MAXNAMLEN)
+ return -ENAMETOOLONG;
+
eat_dot_dir:
while (*path == '/')
path++;
--
next prev parent reply other threads:[~2008-02-22 21:52 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080222213114.583282464@mini.kroah.org>
2008-02-22 21:39 ` [patch 00/23] 2.6.22-stable review Greg KH
2008-02-22 21:39 ` [patch 01/23] cciss: fix memory leak Greg KH
2008-02-22 21:40 ` [patch 02/23] sata_promise: FastTrack TX4200 is a second-generation chip Greg KH
2008-02-22 21:40 ` [patch 03/23] sata_promise: ASIC PRD table bug workaround Greg KH
2008-02-22 21:40 ` [patch 04/23] PCI: Fix fakephp deadlock Greg KH
2008-02-22 21:40 ` [patch 05/23] quicklists: do not release off node pages early Greg KH
2008-02-22 21:40 ` [patch 06/23] NFS: Fix a potential file corruption issue when writing Greg KH
2008-02-22 21:40 ` [patch 07/23] cciss: Panic in blk_rq_map_sg() from CCISS driver Greg KH
2008-02-25 15:06 ` Lee Schermerhorn
2008-02-25 15:39 ` Jens Axboe
2008-02-25 17:55 ` [stable] " Greg KH
2008-02-22 21:40 ` [patch 08/23] Handle bogus %cs selector in single-step instruction decoding (CVE-2007-3731) Greg KH
2008-02-22 21:40 ` [patch 09/23] i386: fixup TRACE_IRQ breakage (CVE-2007-3731) Greg KH
2008-02-22 21:40 ` [patch 10/23] Intel_agp: really fix 945/965GME Greg KH
2008-02-22 21:40 ` [patch 11/23] pci: fix unterminated pci_device_id lists Greg KH
2008-02-22 21:40 ` [patch 12/23] sony-laptop: call sonypi_compat_init earlier Greg KH
2008-02-22 21:40 ` [patch 13/23] VIA_VELOCITY: Dont oops on MTU change Greg KH
2008-02-22 21:40 ` [patch 14/23] via-velocity: dont oops on MTU change (resend) Greg KH
2008-02-22 21:40 ` [patch 15/23] knfsd: fix spurious EINVAL errors on first access of new filesystem Greg KH
2008-02-22 21:40 ` [patch 16/23] NFS: Fix nfs_reval_fsid() Greg KH
2008-02-22 21:40 ` [patch 17/23] NFSv2/v3: Fix a memory leak when using -onolock Greg KH
2008-02-22 21:40 ` Greg KH [this message]
2008-02-22 21:40 ` [patch 19/23] knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME Greg KH
2008-02-22 21:40 ` [patch 20/23] quicklists: Only consider memory that can be used with GFP_KERNEL Greg KH
2008-02-22 21:40 ` [patch 21/23] Be more robust about bad arguments in get_user_pages() Greg KH
2008-02-22 21:40 ` [patch 22/23] SCSI: sd: handle bad lba in sense information Greg KH
2008-02-22 21:41 ` [patch 23/23] NETFILTER: nf_conntrack_tcp: conntrack reopening fix Greg KH
2008-02-22 21:44 ` [patch 00/23] 2.6.22-stable review Greg KH
2008-02-22 22:03 ` Oliver Pinter
2008-02-22 22:32 ` Greg KH
2008-02-23 8:47 ` Willy Tarreau
2008-02-22 21:59 ` Oliver Pinter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080222214050.GS8686@suse.de \
--to=gregkh@suse.de \
--cc=Trond.Myklebust@netapp.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=neilb@suse.de \
--cc=oliver.pntr@gmail.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.