Re: [PATCH v3 6/6] NFSD: Protect against send buffer overflow in NFSv3 READ

public inbox for linux-nfs@vger.kernel.org
 help / color / mirror / Atom feed

From: Jeff Layton <jlayton@kernel.org>
To: Chuck Lever <chuck.lever@oracle.com>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH v3 6/6] NFSD: Protect against send buffer overflow in NFSv3 READ
Date: Fri, 02 Sep 2022 09:15:21 -0400	[thread overview]
Message-ID: <d6c49af5c8b5635d5537e1cc1f43da7c16617c64.camel@kernel.org> (raw)
In-Reply-To: <166205942489.1435.8984764212504461615.stgit@manet.1015granger.net>

On Thu, 2022-09-01 at 15:10 -0400, Chuck Lever wrote:
> Since before the git era, NFSD has conserved the number of pages
> held by each nfsd thread by combining the RPC receive and send
> buffers into a single array of pages. This works because there are
> no cases where an operation needs a large RPC Call message and a
> large RPC Reply at the same time.
> 
> Once an RPC Call has been received, svc_process() updates
> svc_rqst::rq_res to describe the part of rq_pages that can be
> used for constructing the Reply. This means that the send buffer
> (rq_res) shrinks when the received RPC record containing the RPC
> Call is large.
> 
> A client can force this shrinkage on TCP by sending a correctly-
> formed RPC Call header contained in an RPC record that is
> excessively large. The full maximum payload size cannot be
> constructed in that case.
> 
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
>  fs/nfsd/nfs3proc.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c
> index 7a159785499a..5b1e771238b3 100644
> --- a/fs/nfsd/nfs3proc.c
> +++ b/fs/nfsd/nfs3proc.c
> @@ -150,7 +150,6 @@ nfsd3_proc_read(struct svc_rqst *rqstp)
>  {
>  	struct nfsd3_readargs *argp = rqstp->rq_argp;
>  	struct nfsd3_readres *resp = rqstp->rq_resp;
> -	u32 max_blocksize = svc_max_payload(rqstp);
>  	unsigned int len;
>  	int v;
>  
> @@ -159,7 +158,8 @@ nfsd3_proc_read(struct svc_rqst *rqstp)
>  				(unsigned long) argp->count,
>  				(unsigned long long) argp->offset);
>  
> -	argp->count = min_t(u32, argp->count, max_blocksize);
> +	argp->count = min_t(u32, argp->count, svc_max_payload(rqstp));
> +	argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen);
>  	if (argp->offset > (u64)OFFSET_MAX)
>  		argp->offset = (u64)OFFSET_MAX;
>  	if (argp->offset + argp->count > (u64)OFFSET_MAX)
> 
> 

Reviewed-by: Jeff Layton <jlayton@kernel.org>

     prev parent reply	other threads:[~2022-09-02 14:03 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-01 19:09 [PATCH v3 0/6] Fixes for server-side xdr_stream overhaul Chuck Lever
2022-09-01 19:09 ` [PATCH v3 1/6] SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation Chuck Lever
2022-09-01 19:09 ` [PATCH v3 2/6] SUNRPC: Fix svcxdr_init_encode's buflen calculation Chuck Lever
2022-09-01 19:10 ` [PATCH v3 3/6] NFSD: Protect against send buffer overflow in NFSv2 READDIR Chuck Lever
2022-09-02 13:09   ` Jeff Layton
2022-09-01 19:10 ` [PATCH v3 4/6] NFSD: Protect against send buffer overflow in NFSv3 READDIR Chuck Lever
2022-09-02 13:12   ` Jeff Layton
2022-09-01 19:10 ` [PATCH v3 5/6] NFSD: Protect against send buffer overflow in NFSv2 READ Chuck Lever
2022-09-02 13:14   ` Jeff Layton
2022-09-01 19:10 ` [PATCH v3 6/6] NFSD: Protect against send buffer overflow in NFSv3 READ Chuck Lever
2022-09-02 13:15   ` Jeff Layton [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d6c49af5c8b5635d5537e1cc1f43da7c16617c64.camel@kernel.org \
    --to=jlayton@kernel.org \
    --cc=chuck.lever@oracle.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox