[PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().
@ 2011-01-16 20:50 Jesper Juhl
  2011-01-17  3:10 ` Mi Jinlong
  2011-01-17 17:04 ` Fred Isaman
  0 siblings, 2 replies; 7+ messages in thread
From: Jesper Juhl @ 2011-01-16 20:50 UTC (permalink / raw)
  To: linux-nfs; +Cc: Trond Myklebust, linux-kernel

strrchr() can return NULL if nothing is found. If this happens we'll 
dereference a NULL pointer in 
fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().

I tried to find some other code that guarantees that this can never 
happen but I was unsuccessful. So, unless someone else can point to some 
code that ensures this can never be a problem, I believe this patch is 
needed.

While I was changing this code I also noticed that all the dprintk() 
statements, except one, start with "%s:". The one missing the ":" I added 
it to.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 nfs4filelayoutdev.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

  only compile tested.

diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
index 51fe64a..5a85b8f 100644
--- a/fs/nfs/nfs4filelayoutdev.c
+++ b/fs/nfs/nfs4filelayoutdev.c
@@ -214,7 +214,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
 
 	/* ipv6 length plus port is legal */
 	if (rlen > INET6_ADDRSTRLEN + 8) {
-		dprintk("%s Invalid address, length %d\n", __func__,
+		dprintk("%s: Invalid address, length %d\n", __func__,
 			rlen);
 		goto out_err;
 	}
@@ -225,6 +225,11 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
 	/* replace the port dots with dashes for the in4_pton() delimiter*/
 	for (i = 0; i < 2; i++) {
 		char *res = strrchr(buf, '.');
+		if (!res) {
+			dprintk("%s: Failed finding expected dots in port\n",
+				__func__);
+			goto out_free;
+		}
 		*res = '-';
 	}
 

-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().
  2011-01-16 20:50 [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds() Jesper Juhl
@ 2011-01-17  3:10 ` Mi Jinlong
  2011-01-17 18:41   ` Jesper Juhl
  2011-01-17 17:04 ` Fred Isaman
  1 sibling, 1 reply; 7+ messages in thread
From: Mi Jinlong @ 2011-01-17  3:10 UTC (permalink / raw)
  To: Jesper Juhl; +Cc: linux-nfs, Trond Myklebust, linux-kernel



Jesper Juhl:
> strrchr() can return NULL if nothing is found. If this happens we'll 
> dereference a NULL pointer in 
> fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().
> 
> I tried to find some other code that guarantees that this can never 
> happen but I was unsuccessful. So, unless someone else can point to some 
> code that ensures this can never be a problem, I believe this patch is 
> needed.
> 
> While I was changing this code I also noticed that all the dprintk() 
> statements, except one, start with "%s:". The one missing the ":" I added 
> it to.

  Maybe another one also should be changed at decode_and_add_ds() at line 243:

   243  printk("%s Decoded address and port %s\n", __func__, buf);

-- 
----
thanks
Mi Jinlong

> 
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
>  nfs4filelayoutdev.c |    7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
>   only compile tested.
> 
> diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
> index 51fe64a..5a85b8f 100644
> --- a/fs/nfs/nfs4filelayoutdev.c
> +++ b/fs/nfs/nfs4filelayoutdev.c
> @@ -214,7 +214,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
>  
>  	/* ipv6 length plus port is legal */
>  	if (rlen > INET6_ADDRSTRLEN + 8) {
> -		dprintk("%s Invalid address, length %d\n", __func__,
> +		dprintk("%s: Invalid address, length %d\n", __func__,
>  			rlen);
>  		goto out_err;
>  	}
> @@ -225,6 +225,11 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
>  	/* replace the port dots with dashes for the in4_pton() delimiter*/
>  	for (i = 0; i < 2; i++) {
>  		char *res = strrchr(buf, '.');
> +		if (!res) {
> +			dprintk("%s: Failed finding expected dots in port\n",
> +				__func__);
> +			goto out_free;
> +		}
>  		*res = '-';
>  	}
>  
> 


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().
  2011-01-17  3:10 ` Mi Jinlong
@ 2011-01-17 18:41   ` Jesper Juhl
       [not found]     ` <alpine.LNX.2.00.1101171940480.27021-h2p7t3/P30RzeRGmFJ5qR7ZzlVVXadcDXqFh9Ls21Oc@public.gmane.org>
  0 siblings, 1 reply; 7+ messages in thread
From: Jesper Juhl @ 2011-01-17 18:41 UTC (permalink / raw)
  To: Mi Jinlong; +Cc: linux-nfs, Trond Myklebust, linux-kernel, Fred Isaman

On Mon, 17 Jan 2011, Mi Jinlong wrote:

> 
> 
> Jesper Juhl:
> > strrchr() can return NULL if nothing is found. If this happens we'll 
> > dereference a NULL pointer in 
> > fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().
> > 
> > I tried to find some other code that guarantees that this can never 
> > happen but I was unsuccessful. So, unless someone else can point to some 
> > code that ensures this can never be a problem, I believe this patch is 
> > needed.
> > 
> > While I was changing this code I also noticed that all the dprintk() 
> > statements, except one, start with "%s:". The one missing the ":" I added 
> > it to.
> 
>   Maybe another one also should be changed at decode_and_add_ds() at line 243:
> 
>    243  printk("%s Decoded address and port %s\n", __func__, buf);
> 
Missed that one. Thanks. 

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 nfs4filelayoutdev.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
index 51fe64a..f5c9b12 100644
--- a/fs/nfs/nfs4filelayoutdev.c
+++ b/fs/nfs/nfs4filelayoutdev.c
@@ -214,7 +214,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
 
 	/* ipv6 length plus port is legal */
 	if (rlen > INET6_ADDRSTRLEN + 8) {
-		dprintk("%s Invalid address, length %d\n", __func__,
+		dprintk("%s: Invalid address, length %d\n", __func__,
 			rlen);
 		goto out_err;
 	}
@@ -225,6 +225,11 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
 	/* replace the port dots with dashes for the in4_pton() delimiter*/
 	for (i = 0; i < 2; i++) {
 		char *res = strrchr(buf, '.');
+		if (!res) {
+			dprintk("%s: Failed finding expected dots in port\n",
+				__func__);
+			goto out_free;
+		}
 		*res = '-';
 	}
 
@@ -240,7 +245,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
 	port = htons((tmp[0] << 8) | (tmp[1]));
 
 	ds = nfs4_pnfs_ds_add(inode, ip_addr, port);
-	dprintk("%s Decoded address and port %s\n", __func__, buf);
+	dprintk("%s: Decoded address and port %s\n", __func__, buf);
 out_free:
 	kfree(buf);
 out_err:
 

-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.


^ permalink raw reply related	[flat|nested] 7+ messages in thread

[parent not found: <alpine.LNX.2.00.1101171940480.27021-h2p7t3/P30RzeRGmFJ5qR7ZzlVVXadcDXqFh9Ls21Oc@public.gmane.org>]

* Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().
       [not found]     ` <alpine.LNX.2.00.1101171940480.27021-h2p7t3/P30RzeRGmFJ5qR7ZzlVVXadcDXqFh9Ls21Oc@public.gmane.org>
@ 2011-01-18 14:43       ` Andy Adamson
  0 siblings, 0 replies; 7+ messages in thread
From: Andy Adamson @ 2011-01-18 14:43 UTC (permalink / raw)
  To: Jesper Juhl
  Cc: Mi Jinlong, linux-nfs, Trond Myklebust, linux-kernel, Fred Isaman


On Jan 17, 2011, at 1:41 PM, Jesper Juhl wrote:

> On Mon, 17 Jan 2011, Mi Jinlong wrote:
> 
>> 
>> 
>> Jesper Juhl:
>>> strrchr() can return NULL if nothing is found. If this happens we'll 
>>> dereference a NULL pointer in 
>>> fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().



Yes - good catch.

-->Andy

>>> 
>>> I tried to find some other code that guarantees that this can never 
>>> happen but I was unsuccessful. So, unless someone else can point to some 
>>> code that ensures this can never be a problem, I believe this patch is 
>>> needed.
>>> 
>>> While I was changing this code I also noticed that all the dprintk() 
>>> statements, except one, start with "%s:". The one missing the ":" I added 
>>> it to.
>> 
>>  Maybe another one also should be changed at decode_and_add_ds() at line 243:
>> 
>>   243  printk("%s Decoded address and port %s\n", __func__, buf);
>> 
> Missed that one. Thanks. 
> 
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
> nfs4filelayoutdev.c |    9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
> index 51fe64a..f5c9b12 100644
> --- a/fs/nfs/nfs4filelayoutdev.c
> +++ b/fs/nfs/nfs4filelayoutdev.c
> @@ -214,7 +214,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
> 
> 	/* ipv6 length plus port is legal */
> 	if (rlen > INET6_ADDRSTRLEN + 8) {
> -		dprintk("%s Invalid address, length %d\n", __func__,
> +		dprintk("%s: Invalid address, length %d\n", __func__,
> 			rlen);
> 		goto out_err;
> 	}
> @@ -225,6 +225,11 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
> 	/* replace the port dots with dashes for the in4_pton() delimiter*/
> 	for (i = 0; i < 2; i++) {
> 		char *res = strrchr(buf, '.');
> +		if (!res) {
> +			dprintk("%s: Failed finding expected dots in port\n",
> +				__func__);
> +			goto out_free;
> +		}
> 		*res = '-';
> 	}
> 
> @@ -240,7 +245,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
> 	port = htons((tmp[0] << 8) | (tmp[1]));
> 
> 	ds = nfs4_pnfs_ds_add(inode, ip_addr, port);
> -	dprintk("%s Decoded address and port %s\n", __func__, buf);
> +	dprintk("%s: Decoded address and port %s\n", __func__, buf);
> out_free:
> 	kfree(buf);
> out_err:
> 
> 
> -- 
> Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().
  2011-01-16 20:50 [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds() Jesper Juhl
  2011-01-17  3:10 ` Mi Jinlong
@ 2011-01-17 17:04 ` Fred Isaman
       [not found]   ` <AANLkTik+Z5C89Hb9Xu3az=deMsXj4rqvYpU=i7vXgdFx-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
  1 sibling, 1 reply; 7+ messages in thread
From: Fred Isaman @ 2011-01-17 17:04 UTC (permalink / raw)
  To: Jesper Juhl; +Cc: linux-nfs, Trond Myklebust, linux-kernel

On Sun, Jan 16, 2011 at 3:50 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> strrchr() can return NULL if nothing is found. If this happens we'll
> dereference a NULL pointer in
> fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().
>
> I tried to find some other code that guarantees that this can never
> happen but I was unsuccessful. So, unless someone else can point to some
> code that ensures this can never be a problem, I believe this patch is
> needed.
>

The only guarantee is the assumption that the server isn't sending
garbage.  As such, this patch looks good to me.

Fred

> While I was changing this code I also noticed that all the dprintk()
> statements, except one, start with "%s:". The one missing the ":" I added
> it to.
>
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
>  nfs4filelayoutdev.c |    7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
>  only compile tested.
>
> diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
> index 51fe64a..5a85b8f 100644
> --- a/fs/nfs/nfs4filelayoutdev.c
> +++ b/fs/nfs/nfs4filelayoutdev.c
> @@ -214,7 +214,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
>
>        /* ipv6 length plus port is legal */
>        if (rlen > INET6_ADDRSTRLEN + 8) {
> -               dprintk("%s Invalid address, length %d\n", __func__,
> +               dprintk("%s: Invalid address, length %d\n", __func__,
>                        rlen);
>                goto out_err;
>        }
> @@ -225,6 +225,11 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
>        /* replace the port dots with dashes for the in4_pton() delimiter*/
>        for (i = 0; i < 2; i++) {
>                char *res = strrchr(buf, '.');
> +               if (!res) {
> +                       dprintk("%s: Failed finding expected dots in port\n",
> +                               __func__);
> +                       goto out_free;
> +               }
>                *res = '-';
>        }
>
>
> --
> Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

[parent not found: <AANLkTik+Z5C89Hb9Xu3az=deMsXj4rqvYpU=i7vXgdFx-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]

* Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().
       [not found]   ` <AANLkTik+Z5C89Hb9Xu3az=deMsXj4rqvYpU=i7vXgdFx-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2011-01-17 18:42     ` Jesper Juhl
       [not found]       ` <alpine.LNX.2.00.1101171941560.27021-h2p7t3/P30RzeRGmFJ5qR7ZzlVVXadcDXqFh9Ls21Oc@public.gmane.org>
  0 siblings, 1 reply; 7+ messages in thread
From: Jesper Juhl @ 2011-01-17 18:42 UTC (permalink / raw)
  To: Fred Isaman; +Cc: linux-nfs, Trond Myklebust, linux-kernel

On Mon, 17 Jan 2011, Fred Isaman wrote:

> On Sun, Jan 16, 2011 at 3:50 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> > strrchr() can return NULL if nothing is found. If this happens we'll
> > dereference a NULL pointer in
> > fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().
> >
> > I tried to find some other code that guarantees that this can never
> > happen but I was unsuccessful. So, unless someone else can point to some
> > code that ensures this can never be a problem, I believe this patch is
> > needed.
> >
> 
> The only guarantee is the assumption that the server isn't sending
> garbage.  As such, this patch looks good to me.
> 

Thanks. Can I add your Acked-by: if/when I resend the patch?

-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.


^ permalink raw reply	[flat|nested] 7+ messages in thread

[parent not found: <alpine.LNX.2.00.1101171941560.27021-h2p7t3/P30RzeRGmFJ5qR7ZzlVVXadcDXqFh9Ls21Oc@public.gmane.org>]

* Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().
       [not found]       ` <alpine.LNX.2.00.1101171941560.27021-h2p7t3/P30RzeRGmFJ5qR7ZzlVVXadcDXqFh9Ls21Oc@public.gmane.org>
@ 2011-01-17 19:09         ` Fred Isaman
  0 siblings, 0 replies; 7+ messages in thread
From: Fred Isaman @ 2011-01-17 19:09 UTC (permalink / raw)
  To: Jesper Juhl; +Cc: linux-nfs, Trond Myklebust, linux-kernel

On Mon, Jan 17, 2011 at 1:42 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> On Mon, 17 Jan 2011, Fred Isaman wrote:
>
>> On Sun, Jan 16, 2011 at 3:50 PM, Jesper Juhl <jj@chaosbits.net> wrot=
e:
>> > strrchr() can return NULL if nothing is found. If this happens we'=
ll
>> > dereference a NULL pointer in
>> > fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().
>> >
>> > I tried to find some other code that guarantees that this can neve=
r
>> > happen but I was unsuccessful. So, unless someone else can point t=
o some
>> > code that ensures this can never be a problem, I believe this patc=
h is
>> > needed.
>> >
>>
>> The only guarantee is the assumption that the server isn't sending
>> garbage. =A0As such, this patch looks good to me.
>>
>
> Thanks. Can I add your Acked-by: if/when I resend the patch?
>

Yes.

=46red

> --
> Jesper Juhl <jj@chaosbits.net> =A0 =A0 =A0 =A0 =A0 =A0http://www.chao=
sbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" =
in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2011-01-18 14:43 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-16 20:50 [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds() Jesper Juhl
2011-01-17  3:10 ` Mi Jinlong
2011-01-17 18:41   ` Jesper Juhl
     [not found]     ` <alpine.LNX.2.00.1101171940480.27021-h2p7t3/P30RzeRGmFJ5qR7ZzlVVXadcDXqFh9Ls21Oc@public.gmane.org>
2011-01-18 14:43       ` Andy Adamson
2011-01-17 17:04 ` Fred Isaman
     [not found]   ` <AANLkTik+Z5C89Hb9Xu3az=deMsXj4rqvYpU=i7vXgdFx-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-01-17 18:42     ` Jesper Juhl
     [not found]       ` <alpine.LNX.2.00.1101171941560.27021-h2p7t3/P30RzeRGmFJ5qR7ZzlVVXadcDXqFh9Ls21Oc@public.gmane.org>
2011-01-17 19:09         ` Fred Isaman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).