From: "J. Bruce Fields" <bfields@fieldses.org>
To: NeilBrown <neilb@suse.com>
Cc: linux-nfs@vger.kernel.org, Neil Brown <neilb@suse.de>
Subject: Re: [PATCH] nfsd: check for oversized NFSv2/v3 arguments
Date: Thu, 20 Apr 2017 11:16:25 -0400 [thread overview]
Message-ID: <20170420151625.GA4782@fieldses.org> (raw)
In-Reply-To: <87y3uvsxp5.fsf@notabene.neil.brown.name>
On Thu, Apr 20, 2017 at 10:57:10AM +1000, NeilBrown wrote:
> I realise NFSv4 compounds don't have that limitation.
> I wondered what code in the NFSv4 server ensures that we don't try to use
> more memory than was allocated.
>
> I notice lots of calls to xdr_reserve_space() in nfs4xdr.c. Many of them
> trigger nfserr_resource when xdr_reserve_space() returns NULL.
> But not all.
> nfsd4_encode_readv() just pops up a warning. Once. Then will
> (eventually) de-reference the NULL pointer and crash.
> So presumably it really cannot happen (should be a BUG_ON anyway)?
> So why can this not happen?
> I see that nfsd4_encode_read() limits the size of the read to
> xdr->buf->buflen - xdr->buf->len
> and nfsd4_encode_readdir() does a similar thing when computing
> bytes_left.
>
> So, it is more careful about using the allocated pages than v2/3 is.
Yes. The v4 code was written from the start with overflow checks
preceding any encode or decode. And I tried to think this all through
carefully when I rewrote the encoding side a few years ago. But I don't
think that really got much review, and test coverage is poor (a big
thanks here to the synpsys people for their fuzzing work), so additional
skeptical eyes are welcomed....
There's a lot of tricky hand-written code here handling data from the
network. Every now and then somebody brings up the idea of trying to
autogenerate it, as is traditionally done for rpc programs. No idea how
practical that is.
--b.
next prev parent reply other threads:[~2017-04-20 15:16 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-14 15:04 [PATCH] nfsd: check for oversized NFSv2/v3 arguments J. Bruce Fields
2017-04-14 15:09 ` J. Bruce Fields
2017-04-18 0:25 ` NeilBrown
2017-04-18 17:13 ` J. Bruce Fields
2017-04-19 0:17 ` NeilBrown
2017-04-19 0:44 ` J. Bruce Fields
2017-04-20 0:57 ` NeilBrown
2017-04-20 15:16 ` J. Bruce Fields [this message]
2017-04-20 16:19 ` J. Bruce Fields
2017-04-20 21:30 ` J. Bruce Fields
2017-04-20 22:11 ` NeilBrown
2017-04-20 22:19 ` J. Bruce Fields
2017-04-21 21:12 ` J. Bruce Fields
2017-04-23 22:21 ` NeilBrown
2017-04-24 14:06 ` J. Bruce Fields
2017-04-24 21:19 ` J. Bruce Fields
2017-04-24 21:20 ` J. Bruce Fields
2017-04-25 3:15 ` NeilBrown
2017-04-25 20:40 ` J. Bruce Fields
2017-04-26 6:31 ` NeilBrown
2017-04-25 3:00 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170420151625.GA4782@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.com \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.