From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Tom Tucker <tom@opengridcomputing.com>,
Trond Myklebust <trond.myklebust@fys.uio.no>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 02/23] SUNRPC: Fix return type of svc_addr_len()
Date: Tue, 24 Mar 2009 17:02:23 -0400 [thread overview]
Message-ID: <20090324210223.GI19389@fieldses.org> (raw)
In-Reply-To: <B9961123-78C4-414A-BC5D-84BDC85771B7@oracle.com>
On Tue, Mar 24, 2009 at 04:37:49PM -0400, Chuck Lever wrote:
> On Mar 24, 2009, at 4:32 PM, J. Bruce Fields wrote:
>> On Wed, Mar 18, 2009 at 08:45:36PM -0400, Chuck Lever wrote:
>>> The svc_addr_len() helper function can return a negative errno value,
>>> but its return type is size_t, which is unsigned.
>>>
>>> The RDMA transport code passes this return value directly to
>>> memset(),
>>> without checking first if it's negative. This could cause memset()
>>> to
>>> clobber a large piece of memory if svc_addr_len() has returned an
>>> error.
>>
>> I'd still like to understand when this can happen, to better
>> understand
>> how the error should be handled.
>>
>> Also:
>>
>>>
>>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
>>> ---
>>>
>>> include/linux/sunrpc/svc_xprt.h | 3 ++-
>>> net/sunrpc/xprtrdma/svc_rdma_transport.c | 16 ++++++++++++++--
>>> 2 files changed, 16 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/include/linux/sunrpc/svc_xprt.h b/include/linux/sunrpc/
>>> svc_xprt.h
>>> index 0127dac..c2aa8cd 100644
>>> --- a/include/linux/sunrpc/svc_xprt.h
>>> +++ b/include/linux/sunrpc/svc_xprt.h
>>> @@ -113,7 +113,7 @@ static inline unsigned short
>>> svc_addr_port(struct sockaddr *sa)
>>> return ret;
>>> }
>>>
>>> -static inline size_t svc_addr_len(struct sockaddr *sa)
>>> +static inline int svc_addr_len(const struct sockaddr *sa)
>>> {
>>> switch (sa->sa_family) {
>>> case AF_INET:
>>> @@ -121,6 +121,7 @@ static inline size_t svc_addr_len(struct
>>> sockaddr *sa)
>>> case AF_INET6:
>>> return sizeof(struct sockaddr_in6);
>>> }
>>> +
>>> return -EAFNOSUPPORT;
>>> }
>
> It's clearly a bug to return -EAFNOSUPPORT in a size_t.
I agree. My comment is just that this patch doesn't necessarily fix the
real bug; so as long as there's a bug here, I'd prefer it to be an
obvious one.
>>> diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/
>>> xprtrdma/svc_rdma_transport.c
>>> index 3d810e7..d1ec6f9 100644
>>> --- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
>>> +++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
>>> @@ -546,6 +546,7 @@ static void handle_connect_req(struct rdma_cm_id
>>> *new_cma_id, size_t client_ird)
>>> struct svcxprt_rdma *listen_xprt = new_cma_id->context;
>>> struct svcxprt_rdma *newxprt;
>>> struct sockaddr *sa;
>>> + int len;
>>>
>>> /* Create a new transport */
>>> newxprt = rdma_create_xprt(listen_xprt->sc_xprt.xpt_server, 0);
>>> @@ -563,9 +564,20 @@ static void handle_connect_req(struct
>>> rdma_cm_id *new_cma_id, size_t client_ird)
>>>
>>> /* Set the local and remote addresses in the transport */
>>> sa = (struct sockaddr *)&newxprt->sc_cm_id->route.addr.dst_addr;
>>> - svc_xprt_set_remote(&newxprt->sc_xprt, sa, svc_addr_len(sa));
>>> + len = svc_addr_len(sa);
>>> + if (len < 0) {
>>> + dprintk("svcrdma: dst_addr has a bad address family\n");
>>> + return;
>>
>> we're probably leaking something here.
>>
>> I don't want to fix this until it's understood well enough to fix it
>> correctly.
>
> Tom needs respond to this, but I think it would be safe to simply BUG()
> here.
Could be.--b.
next prev parent reply other threads:[~2009-03-24 21:02 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-19 0:45 [PATCH 00/23] Shorter series for 2.6.30 Chuck Lever
[not found] ` <20090319004024.32404.68289.stgit-07a7zB5ZJzbwdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
2009-03-19 0:45 ` [PATCH 01/23] SUNRPC: Don't flag empty RPCB_GETADDR reply as bogus Chuck Lever
2009-03-19 0:45 ` [PATCH 02/23] SUNRPC: Fix return type of svc_addr_len() Chuck Lever
[not found] ` <20090319004535.32404.37120.stgit-07a7zB5ZJzbwdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
2009-03-24 20:32 ` J. Bruce Fields
2009-03-24 20:37 ` Chuck Lever
2009-03-24 21:02 ` J. Bruce Fields [this message]
2009-03-26 7:43 ` Greg Banks
2009-03-26 16:03 ` Chuck Lever
2009-04-02 1:43 ` Tom Tucker
2009-04-02 22:39 ` J. Bruce Fields
2009-04-02 22:43 ` Chuck Lever
2009-03-19 0:45 ` [PATCH 03/23] SUNRPC: Clean up static inline functions in svc_xprt.h Chuck Lever
2009-03-19 0:45 ` [PATCH 04/23] NFSD: If port value written to /proc/fs/nfsd/portlist is invalid, return EINVAL Chuck Lever
2009-03-19 0:45 ` [PATCH 05/23] SUNRPC: Clean up svc_find_xprt() calling sequence Chuck Lever
2009-03-19 0:46 ` [PATCH 06/23] SUNRPC: Pass a family argument to svc_register() Chuck Lever
2009-03-19 0:46 ` [PATCH 07/23] SUNRPC: svc_setup_socket() gets protocol family from socket Chuck Lever
2009-03-19 0:46 ` [PATCH 08/23] SUNRPC: Change svc_create_xprt() to take a @family argument Chuck Lever
2009-03-19 0:46 ` [PATCH 09/23] SUNRPC: Remove @family argument from svc_create() and svc_create_pooled() Chuck Lever
2009-03-19 0:46 ` [PATCH 10/23] NFS: Revert creation of IPv6 listeners for lockd and NFSv4 callbacks Chuck Lever
2009-03-19 0:46 ` [PATCH 11/23] SUNRPC: Set IPV6ONLY flag on PF_INET6 RPC listener sockets Chuck Lever
2009-03-19 0:46 ` [PATCH 12/23] SUNRPC: Use IPv4 loopback for registering AF_INET6 kernel RPC services Chuck Lever
2009-03-19 0:46 ` [PATCH 13/23] SUNRPC: Don't return EPROTONOSUPPORT in svc_register()'s helpers Chuck Lever
2009-03-19 0:47 ` [PATCH 14/23] SUNRPC: Clean up address type casts in rpcb_v4_register() Chuck Lever
2009-03-19 0:47 ` [PATCH 15/23] SUNRPC: rpcbind actually interprets r_owner string Chuck Lever
[not found] ` <20090319004713.32404.63163.stgit-07a7zB5ZJzbwdl/1UfZZQIVfYA8g3rJ/@public.gmane.org>
2009-03-26 8:58 ` Greg Banks
2009-03-26 15:44 ` Chuck Lever
2009-03-26 23:18 ` Greg Banks
2009-03-27 15:36 ` Chuck Lever
2009-03-27 22:02 ` Greg Banks
2009-03-19 0:47 ` [PATCH 16/23] SUNRPC: Allow callers to pass rpcb_v4_register a NULL address Chuck Lever
2009-03-19 0:47 ` [PATCH 17/23] SUNRPC: Simplify svc_unregister() Chuck Lever
2009-03-19 0:47 ` [PATCH 18/23] SUNRPC: Simplify kernel RPC service registration Chuck Lever
2009-03-19 0:47 ` [PATCH 19/23] SUNRPC: rpcb_register() should handle errors silently Chuck Lever
2009-03-19 0:47 ` [PATCH 20/23] SUNRPC: Remove CONFIG_SUNRPC_REGISTER_V4 Chuck Lever
2009-03-19 0:47 ` [PATCH 21/23] lockd: Start PF_INET6 listener only if IPv6 support is available Chuck Lever
2009-03-19 0:48 ` [PATCH 22/23] NFS: Start PF_INET6 callback " Chuck Lever
2009-03-19 0:48 ` [PATCH 23/23] NFS: Simplify logic to compare socket addresses in client.c Chuck Lever
2009-03-24 22:49 ` [PATCH 00/23] Shorter series for 2.6.30 J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090324210223.GI19389@fieldses.org \
--to=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=tom@opengridcomputing.com \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.