[PATCH] rpcrdma_decode_msg: check xdr_inline

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] rpcrdma_decode_msg: check xdr_inline_decode result
@ 2019-07-24  1:51 Navid Emamdoost
  2019-07-24  2:02 ` Chuck Lever
  0 siblings, 1 reply; 2+ messages in thread
From: Navid Emamdoost @ 2019-07-24  1:51 UTC (permalink / raw)
  Cc: emamd001, kjlu, smccaman, secalert, Navid Emamdoost,
	Trond Myklebust, Anna Schumaker, J. Bruce Fields, Chuck Lever,
	David S. Miller, linux-nfs, netdev, linux-kernel

xdr_inline_decode may return NULL, so the check is necessary. The base
pointer will be dereferenced later in rpcrdma_inline_fixup.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
 net/sunrpc/xprtrdma/rpc_rdma.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sunrpc/xprtrdma/rpc_rdma.c b/net/sunrpc/xprtrdma/rpc_rdma.c
index 4345e6912392..d0479efe0e72 100644
--- a/net/sunrpc/xprtrdma/rpc_rdma.c
+++ b/net/sunrpc/xprtrdma/rpc_rdma.c
@@ -1160,6 +1160,9 @@ rpcrdma_decode_msg(struct rpcrdma_xprt *r_xprt, struct rpcrdma_rep *rep,
 
 	/* Build the RPC reply's Payload stream in rqst->rq_rcv_buf */
 	base = (char *)xdr_inline_decode(xdr, 0);
+	if (!base)
+		return -EIO;
+
 	rpclen = xdr_stream_remaining(xdr);
 	r_xprt->rx_stats.fixup_copy_count +=
 		rpcrdma_inline_fixup(rqst, base, rpclen, writelist & 3);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] rpcrdma_decode_msg: check xdr_inline_decode result
  2019-07-24  1:51 [PATCH] rpcrdma_decode_msg: check xdr_inline_decode result Navid Emamdoost
@ 2019-07-24  2:02 ` Chuck Lever
  0 siblings, 0 replies; 2+ messages in thread
From: Chuck Lever @ 2019-07-24  2:02 UTC (permalink / raw)
  To: Navid Emamdoost
  Cc: emamd001, kjlu, smccaman, secalert, Trond Myklebust,
	Anna Schumaker, J. Bruce Fields, David S. Miller, linux-nfs,
	netdev, linux-kernel



> On Jul 23, 2019, at 9:51 PM, Navid Emamdoost <navid.emamdoost@gmail.com> wrote:
> 
> xdr_inline_decode may return NULL, so the check is necessary. The base
> pointer will be dereferenced later in rpcrdma_inline_fixup.

NACK. When xdr_inline_decode is passed a zero “length” argument, it can never return NULL.


> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> ---
> net/sunrpc/xprtrdma/rpc_rdma.c | 3 +++
> 1 file changed, 3 insertions(+)
> 
> diff --git a/net/sunrpc/xprtrdma/rpc_rdma.c b/net/sunrpc/xprtrdma/rpc_rdma.c
> index 4345e6912392..d0479efe0e72 100644
> --- a/net/sunrpc/xprtrdma/rpc_rdma.c
> +++ b/net/sunrpc/xprtrdma/rpc_rdma.c
> @@ -1160,6 +1160,9 @@ rpcrdma_decode_msg(struct rpcrdma_xprt *r_xprt, struct rpcrdma_rep *rep,
> 
>    /* Build the RPC reply's Payload stream in rqst->rq_rcv_buf */
>    base = (char *)xdr_inline_decode(xdr, 0);
> +    if (!base)
> +        return -EIO;
> +
>    rpclen = xdr_stream_remaining(xdr);
>    r_xprt->rx_stats.fixup_copy_count +=
>        rpcrdma_inline_fixup(rqst, base, rpclen, writelist & 3);
> -- 
> 2.17.1
> 


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-07-24  2:03 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-07-24  1:51 [PATCH] rpcrdma_decode_msg: check xdr_inline_decode result Navid Emamdoost
2019-07-24  2:02 ` Chuck Lever

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).