From: David Howells <dhowells@redhat.com>
To: viro@ZenIV.linux.org.uk
Cc: Marc Dionne <marc.dionne@auristor.com>,
dhowells@redhat.com, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-afs@lists.infradead.org
Subject: [PATCH 05/14] afs: Deal with an empty callback array
Date: Fri, 24 Feb 2017 13:13:55 +0000 [thread overview]
Message-ID: <148794203506.28770.17245203508913822228.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <148794199962.28770.5291326312391230868.stgit@warthog.procyon.org.uk>
From: Marc Dionne <marc.dionne@auristor.com>
Servers may send a callback array that is the same size as
the FID array, or an empty array. If the callback count is
0, the code would attempt to read (fid_count * 12) bytes of
data, which would fail and result in an unmarshalling error.
This would lead to stale data for remotely modified files
or directories.
Store the callback array size in the internal afs_call
structure and use that to determine the amount of data to
read.
Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
---
fs/afs/cmservice.c | 11 +++++------
fs/afs/internal.h | 5 ++++-
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c
index 2edbdcbf6432..3062cceb5c2a 100644
--- a/fs/afs/cmservice.c
+++ b/fs/afs/cmservice.c
@@ -187,7 +187,6 @@ static int afs_deliver_cb_callback(struct afs_call *call)
struct afs_callback *cb;
struct afs_server *server;
__be32 *bp;
- u32 tmp;
int ret, loop;
_enter("{%u}", call->unmarshall);
@@ -249,9 +248,9 @@ static int afs_deliver_cb_callback(struct afs_call *call)
if (ret < 0)
return ret;
- tmp = ntohl(call->tmp);
- _debug("CB count: %u", tmp);
- if (tmp != call->count && tmp != 0)
+ call->count2 = ntohl(call->tmp);
+ _debug("CB count: %u", call->count2);
+ if (call->count2 != call->count && call->count2 != 0)
return -EBADMSG;
call->offset = 0;
call->unmarshall++;
@@ -259,14 +258,14 @@ static int afs_deliver_cb_callback(struct afs_call *call)
case 4:
_debug("extract CB array");
ret = afs_extract_data(call, call->buffer,
- call->count * 3 * 4, false);
+ call->count2 * 3 * 4, false);
if (ret < 0)
return ret;
_debug("unmarshall CB array");
cb = call->request;
bp = call->buffer;
- for (loop = call->count; loop > 0; loop--, cb++) {
+ for (loop = call->count2; loop > 0; loop--, cb++) {
cb->version = ntohl(*bp++);
cb->expiry = ntohl(*bp++);
cb->type = ntohl(*bp++);
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 8acf3670e756..68a40e880eb9 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -90,7 +90,10 @@ struct afs_call {
unsigned request_size; /* size of request data */
unsigned reply_max; /* maximum size of reply */
unsigned first_offset; /* offset into mapping[first] */
- unsigned last_to; /* amount of mapping[last] */
+ union {
+ unsigned last_to; /* amount of mapping[last] */
+ unsigned count2; /* count used in unmarshalling */
+ };
unsigned char unmarshall; /* unmarshalling phase */
bool incoming; /* T if incoming call */
bool send_pages; /* T if data from mapping should be sent */
next prev parent reply other threads:[~2017-02-24 13:19 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-24 13:13 [PATCH 00/14] AFS: Fixes and cleanups David Howells
2017-02-24 13:13 ` [PATCH 01/14] afs: Fix missing put_page() David Howells
2017-02-24 13:13 ` [PATCH 02/14] afs: Fix page overput in afs_fill_page() David Howells
2017-02-24 13:13 ` [PATCH 03/14] afs: Populate group ID from vnode status David Howells
2017-02-24 13:13 ` [PATCH 04/14] afs: Adjust mode bits processing David Howells
2017-02-24 13:13 ` David Howells [this message]
2017-02-24 13:14 ` [PATCH 06/14] afs: Handle better the server returning excess or short data David Howells
2017-02-24 13:14 ` [PATCH 07/14] afs: Kill struct afs_read::pg_offset David Howells
2017-02-24 13:14 ` [PATCH 08/14] afs: Handle a short write to an AFS page David Howells
2017-02-24 13:14 ` [PATCH 09/14] afs: Flush outstanding writes when an fd is closed David Howells
2017-02-24 13:14 ` [PATCH 10/14] afs: Distinguish mountpoints from symlinks by file mode alone David Howells
2017-02-24 13:14 ` [PATCH 11/14] afs: inode: Replace rcu_assign_pointer() with RCU_INIT_POINTER() David Howells
2017-02-24 13:14 ` [PATCH 12/14] afs: security: " David Howells
2017-02-24 13:14 ` [PATCH 13/14] afs: Migrate vlocation fields to 64-bit David Howells
2017-02-24 13:15 ` [PATCH 14/14] afs: Prevent callback expiry timer overflow David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=148794203506.28770.17245203508913822228.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=linux-afs@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.