nfsd4: minor NFSv2/v3 write decoding cleanup
This commit is contained in:
parent
0e77dea5fc
commit
7961205000
|
@ -374,6 +374,7 @@ linux (4.9.25-1) UNRELEASED; urgency=medium
|
|||
* macsec: avoid heap overflow in skb_to_sgvec (CVE-2017-7477)
|
||||
* macsec: dynamically allocate space for sglist
|
||||
* nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
|
||||
* nfsd4: minor NFSv2/v3 write decoding cleanup
|
||||
|
||||
[ Aurelien Jarno ]
|
||||
* [mips*/octeon] Drop obsolete patch adding support for the UBNT E200
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
From: "J. Bruce Fields" <bfields@redhat.com>
|
||||
Date: Tue, 25 Apr 2017 16:21:34 -0400
|
||||
Subject: nfsd4: minor NFSv2/v3 write decoding cleanup
|
||||
Origin: https://git.kernel.org/linus/db44bac41bbfc0c0d9dd943092d8bded3c9db19b
|
||||
|
||||
Use a couple shortcuts that will simplify a following bugfix.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
|
||||
---
|
||||
fs/nfsd/nfs3xdr.c | 9 +++++----
|
||||
fs/nfsd/nfsxdr.c | 8 ++++----
|
||||
2 files changed, 9 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
|
||||
index dba2ff8..d18cfdd 100644
|
||||
--- a/fs/nfsd/nfs3xdr.c
|
||||
+++ b/fs/nfsd/nfs3xdr.c
|
||||
@@ -358,6 +358,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
{
|
||||
unsigned int len, v, hdr, dlen;
|
||||
u32 max_blocksize = svc_max_payload(rqstp);
|
||||
+ struct kvec *head = rqstp->rq_arg.head;
|
||||
+ struct kvec *tail = rqstp->rq_arg.tail;
|
||||
|
||||
p = decode_fh(p, &args->fh);
|
||||
if (!p)
|
||||
@@ -377,9 +379,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
* Check to make sure that we got the right number of
|
||||
* bytes.
|
||||
*/
|
||||
- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
|
||||
- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
|
||||
- + rqstp->rq_arg.tail[0].iov_len - hdr;
|
||||
+ hdr = (void*)p - head->iov_base;
|
||||
+ dlen = head->iov_len + rqstp->rq_arg.page_len + tail->iov_len - hdr;
|
||||
/*
|
||||
* Round the length of the data which was specified up to
|
||||
* the next multiple of XDR units and then compare that
|
||||
@@ -396,7 +397,7 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
len = args->len = max_blocksize;
|
||||
}
|
||||
rqstp->rq_vec[0].iov_base = (void*)p;
|
||||
- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
|
||||
+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
|
||||
v = 0;
|
||||
while (len > rqstp->rq_vec[v].iov_len) {
|
||||
len -= rqstp->rq_vec[v].iov_len;
|
||||
diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
|
||||
index 41b468a..59bd88a 100644
|
||||
--- a/fs/nfsd/nfsxdr.c
|
||||
+++ b/fs/nfsd/nfsxdr.c
|
||||
@@ -280,6 +280,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
struct nfsd_writeargs *args)
|
||||
{
|
||||
unsigned int len, hdr, dlen;
|
||||
+ struct kvec *head = rqstp->rq_arg.head;
|
||||
int v;
|
||||
|
||||
p = decode_fh(p, &args->fh);
|
||||
@@ -300,9 +301,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
* Check to make sure that we got the right number of
|
||||
* bytes.
|
||||
*/
|
||||
- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
|
||||
- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
|
||||
- - hdr;
|
||||
+ hdr = (void*)p - head->iov_base;
|
||||
+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
|
||||
|
||||
/*
|
||||
* Round the length of the data which was specified up to
|
||||
@@ -316,7 +316,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
return 0;
|
||||
|
||||
rqstp->rq_vec[0].iov_base = (void*)p;
|
||||
- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
|
||||
+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
|
||||
v = 0;
|
||||
while (len > rqstp->rq_vec[v].iov_len) {
|
||||
len -= rqstp->rq_vec[v].iov_len;
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -111,6 +111,7 @@ bugfix/all/ping-implement-proper-locking.patch
|
|||
bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch
|
||||
bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch
|
||||
bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue