From: Chuck Lever <chuck.lever@oracle.com>
To: linux-nfs@vger.kernel.org
Subject: [PATCH v3 5/6] NFSD: Protect against send buffer overflow in NFSv2 READ
Date: Thu, 01 Sep 2022 15:10:18 -0400 [thread overview]
Message-ID: <166205941847.1435.15080240781458940273.stgit@manet.1015granger.net> (raw)
In-Reply-To: <166204973526.1435.6068003336048840051.stgit@manet.1015granger.net>
Since before the git era, NFSD has conserved the number of pages
held by each nfsd thread by combining the RPC receive and send
buffers into a single array of pages. This works because there are
no cases where an operation needs a large RPC Call message and a
large RPC Reply at the same time.
Once an RPC Call has been received, svc_process() updates
svc_rqst::rq_res to describe the part of rq_pages that can be
used for constructing the Reply. This means that the send buffer
(rq_res) shrinks when the received RPC record containing the RPC
Call is large.
A client can force this shrinkage on TCP by sending a correctly-
formed RPC Call header contained in an RPC record that is
excessively large. The full maximum payload size cannot be
constructed in that case.
Cc: <stable@vger.kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
fs/nfsd/nfsproc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c
index ddb1902c0a18..4b19cc727ea5 100644
--- a/fs/nfsd/nfsproc.c
+++ b/fs/nfsd/nfsproc.c
@@ -185,6 +185,7 @@ nfsd_proc_read(struct svc_rqst *rqstp)
argp->count, argp->offset);
argp->count = min_t(u32, argp->count, NFSSVC_MAXBLKSIZE_V2);
+ argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen);
v = 0;
len = argp->count;
next prev parent reply other threads:[~2022-09-01 19:10 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-01 19:09 [PATCH v3 0/6] Fixes for server-side xdr_stream overhaul Chuck Lever
2022-09-01 19:09 ` [PATCH v3 1/6] SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation Chuck Lever
2022-09-01 19:09 ` [PATCH v3 2/6] SUNRPC: Fix svcxdr_init_encode's buflen calculation Chuck Lever
2022-09-01 19:10 ` [PATCH v3 3/6] NFSD: Protect against send buffer overflow in NFSv2 READDIR Chuck Lever
2022-09-02 13:09 ` Jeff Layton
2022-09-01 19:10 ` [PATCH v3 4/6] NFSD: Protect against send buffer overflow in NFSv3 READDIR Chuck Lever
2022-09-02 13:12 ` Jeff Layton
2022-09-01 19:10 ` Chuck Lever [this message]
2022-09-02 13:14 ` [PATCH v3 5/6] NFSD: Protect against send buffer overflow in NFSv2 READ Jeff Layton
2022-09-01 19:10 ` [PATCH v3 6/6] NFSD: Protect against send buffer overflow in NFSv3 READ Chuck Lever
2022-09-02 13:15 ` Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=166205941847.1435.15080240781458940273.stgit@manet.1015granger.net \
--to=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.