| Message ID | 166171262829.21449.4256057697517661592.stgit@manet.1015granger.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fixes for server-side xdr_stream overhaul | expand |
On Sun, 2022-08-28 at 14:50 -0400, Chuck Lever wrote: > Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries") > added an explicit computation of the remaining length in the rq_res > XDR buffer. > > The computation appears to suffer from an "off-by-one" bug. Because > buflen is too large by one page, XDR encoding can run off the end of > the send buffer by eventually trying to use the struct page address > in rq_page_end, which always contains NULL. > > Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper") > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> > --- > include/linux/sunrpc/svc.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h > index 5a830b66f059..0ca8a8ffb47e 100644 > --- a/include/linux/sunrpc/svc.h > +++ b/include/linux/sunrpc/svc.h > @@ -587,7 +587,7 @@ static inline void svcxdr_init_encode(struct svc_rqst *rqstp) > xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack; > buf->len = resv->iov_len; > xdr->page_ptr = buf->pages - 1; > - buf->buflen = PAGE_SIZE * (1 + rqstp->rq_page_end - buf->pages); > + buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages); > buf->buflen -= rqstp->rq_auth_slack; > xdr->rqst = NULL; > } > > Reviewed-by: Jeff Layton <jlayton@kernel.org>
diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h index 5a830b66f059..0ca8a8ffb47e 100644 --- a/include/linux/sunrpc/svc.h +++ b/include/linux/sunrpc/svc.h @@ -587,7 +587,7 @@ static inline void svcxdr_init_encode(struct svc_rqst *rqstp) xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack; buf->len = resv->iov_len; xdr->page_ptr = buf->pages - 1; - buf->buflen = PAGE_SIZE * (1 + rqstp->rq_page_end - buf->pages); + buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages); buf->buflen -= rqstp->rq_auth_slack; xdr->rqst = NULL; }
Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries") added an explicit computation of the remaining length in the rq_res XDR buffer. The computation appears to suffer from an "off-by-one" bug. Because buflen is too large by one page, XDR encoding can run off the end of the send buffer by eventually trying to use the struct page address in rq_page_end, which always contains NULL. Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> --- include/linux/sunrpc/svc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)