From: Tom Tucker <tom@opengridcomputing.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: tom@ogc.us, Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: question about map_read_chunks()
Date: Mon, 20 Feb 2012 12:44:57 -0600 [thread overview]
Message-ID: <4F4294A9.20308@opengridcomputing.com> (raw)
In-Reply-To: <20120220182003.GL2912@mwanda>
Hi Dan,
> ----- Forwarded message from Dan Carpenter<dan.carpenter@oracle.com> -----
>
> Date: Mon, 20 Feb 2012 12:50:19 +0300
> From: Dan Carpenter<dan.carpenter@oracle.com>
> To: Tom Tucker<tom@ogc.us>
> Cc: "J. Bruce Fields"<bfields@redhat.com>, netdev@vger.kernel.org, linux-nfs@vger.kernel.org
> Subject: question about map_read_chunks()
>
> I had a couple questions about some map_read_chunks().
>
> net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
>
> 150 ch_bytes = ntohl(ch->rc_target.rs_length);
> ^^^^^^^^
> It look like this is 32 bits from the network?
Yes, it is. All these values should be clamped by the wsize/rsize,
however, I don't think we enforce that. We should add a check to
svc_rdma_xdr_decode_req().
>
> 151 head->arg.head[0] = rqstp->rq_arg.head[0];
> 152 head->arg.tail[0] = rqstp->rq_arg.tail[0];
> 153 head->arg.pages =&head->pages[head->count];
> 154 head->hdr_count = head->count; /* save count of hdr pages */
> 155 head->arg.page_base = 0;
> 156 head->arg.page_len = ch_bytes;
> 157 head->arg.len = rqstp->rq_arg.len + ch_bytes;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Can overflow.
Without the proposed check, it can.
> 158 head->arg.buflen = rqstp->rq_arg.buflen + ch_bytes;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Same. I didn't follow it through to see if an overflow matters. Does
> it?
I think it could cause bad things to happen, yes.
>
> 159 head->count++;
> 160 chl_map->ch[0].start = 0;
> 161 while (byte_count) {
> 162 rpl_map->sge[sge_no].iov_base =
> 163 page_address(rqstp->rq_arg.pages[page_no]) + page_off;
> 164 sge_bytes = min_t(int, PAGE_SIZE-page_off, ch_bytes);
> ^^^
> This is the wrong cast to use. A large ch_bytes would be counted as a
> negative value and get around the cap here.
I suppose, in theory, we could have a r/wsize > 2G, in which case, you are
correct.
> 165 rpl_map->sge[sge_no].iov_len = sge_bytes;
>
> regards,
> dan carpenter
>
I think adding a check to svc_rdma_xdr_decode_req() would avoid any
possibility of overflow. I'll code up a patch.
Thanks,
Tom
next parent reply other threads:[~2012-02-20 18:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20120220182003.GL2912@mwanda>
2012-02-20 18:44 ` Tom Tucker [this message]
2012-02-20 9:50 question about map_read_chunks() Dan Carpenter
2012-02-20 9:50 ` Dan Carpenter
2013-09-27 12:21 ` Dan Carpenter
2013-09-27 15:23 ` Tom Tucker
2013-09-27 15:23 ` Tom Tucker
2013-09-27 20:15 ` J. Bruce Fields
2013-09-27 20:15 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F4294A9.20308@opengridcomputing.com \
--to=tom@opengridcomputing.com \
--cc=dan.carpenter@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=tom@ogc.us \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.