From patchwork Thu Jul 14 04:02:01 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kinglong Mee <kinglongmee@gmail.com>
X-Patchwork-Id: 9228933
Return-Path: <linux-nfs-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	1A03760574 for <patchwork-linux-nfs@patchwork.kernel.org>;
	Thu, 14 Jul 2016 04:02:08 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 09AD127F94
	for <patchwork-linux-nfs@patchwork.kernel.org>;
	Thu, 14 Jul 2016 04:02:08 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id F2AFB2808C; Thu, 14 Jul 2016 04:02:07 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A917F27F94
	for <patchwork-linux-nfs@patchwork.kernel.org>;
	Thu, 14 Jul 2016 04:02:07 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751079AbcGNECG (ORCPT
	<rfc822;patchwork-linux-nfs@patchwork.kernel.org>);
	Thu, 14 Jul 2016 00:02:06 -0400
Received: from mail-pa0-f67.google.com ([209.85.220.67]:34219 "EHLO
	mail-pa0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750934AbcGNECF (ORCPT
	<rfc822; linux-nfs@vger.kernel.org>); Thu, 14 Jul 2016 00:02:05 -0400
Received: by mail-pa0-f67.google.com with SMTP id hh10so3981295pac.1
	for <linux-nfs@vger.kernel.org>; Wed, 13 Jul 2016 21:02:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=to:cc:from:subject:message-id:date:user-agent:mime-version
	:content-transfer-encoding;
	bh=wGg717iqIINd+mQ075AIzRxE1jB4NGG0NchhQ0v9kmA=;
	b=g57VWdC2cOjLeG7lCymFm2Jgn1KcjqtCAOON1DcUXwXl7oWCsbiXdwOHfH1sWGUouv
	GC1AbaoPyDAXtyqzk/dAlWBuR7wISC/8oWjs58OxNAwR36XyiCBILysgSRVZwGBqLlXf
	Fy4SdlaC4CM+1ljkzkp4h+YWZCdiTARJNvDxCCxYidm6AfxhNGRJMJ61QX9DFS8kwB8g
	xuh/huT3uL4leFgngqvEHWE2254pInxpLulq0i4TV0ugpN0F7j0ytG1Jlk5Gkhv6Ks5+
	rrsld0wIHJSNKOc/lUAzzu1Px5MwfBonnGIUcHl/Gt+9ThYZfE84YSESraLrjIL28eof
	kkIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:to:cc:from:subject:message-id:date:user-agent
	:mime-version:content-transfer-encoding;
	bh=wGg717iqIINd+mQ075AIzRxE1jB4NGG0NchhQ0v9kmA=;
	b=fIeKopuexatU9LfbZmg6WiO+oxvp5wdkL1HpkNNZVh9df9UqxDrq89UBpWlyAREXz8
	qDE2Tm9xgskxz3b+2BSlGfMyB6yd7TfmPryGoM2dgEVr0IFB2uod/pG89jAJfyCIxomp
	kgimgCwZifK5tX/sf3BKv3czAMp+YYdT9D3Nx/nQohGizpw2tFUaZFoWKGowuap9ALQa
	xt48J2H9RSoTtEbjAQngy601jJHHS7H+e4UZRCOAK6pt+t02kcZmRw9ZAJXwj8FGjORz
	wnvgw0ZbzF3oStMDNXYtTRSlTqBJ4RULMSDk6Jmgm6XHNrtCiHgrs742q5u6VWfQUvFP
	hmLw==
X-Gm-Message-State: 
 ALyK8tLaLOi1VKEXVHBQuBqnVk1GPpKJvv7SpFqmZe+U9t+Z+mkus1Z/nbJPF+IvOpfOdQ==
X-Received: by 10.66.72.195 with SMTP id f3mr19106938pav.141.1468468924920;
	Wed, 13 Jul 2016 21:02:04 -0700 (PDT)
Received: from [192.168.9.103] ([119.85.103.60])
	by smtp.googlemail.com with ESMTPSA id
	cp3sm377696pad.12.2016.07.13.21.02.03
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 13 Jul 2016 21:02:04 -0700 (PDT)
To: Trond Myklebust <trond.myklebust@primarydata.com>
Cc: linux-nfs@vger.kernel.org, Kinglong Mee <kinglongmee@gmail.com>
From: Kinglong Mee <kinglongmee@gmail.com>
Subject: [PATCH] nfs/blocklayout: Check max uuids and devices before decoding
Message-ID: <87b2740f-d38b-b5f6-be85-cf2279c62496@gmail.com>
Date: Thu, 14 Jul 2016 12:02:01 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:45.0) Gecko/20100101
	Thunderbird/45.2.0
MIME-Version: 1.0
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Avoid nfs return uuids/devices larger than maximum.

Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
---
 fs/nfs/blocklayout/dev.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c
index 3021015..6d71b67 100644
--- a/fs/nfs/blocklayout/dev.c
+++ b/fs/nfs/blocklayout/dev.c
@@ -65,8 +65,8 @@ nfs4_block_decode_volume(struct xdr_stream *xdr, struct pnfs_block_volume *b)
 		if (!p)
 			return -EIO;
 		b->simple.nr_sigs = be32_to_cpup(p++);
-		if (!b->simple.nr_sigs) {
-			dprintk("no signature\n");
+		if (!b->simple.nr_sigs || b->simple.nr_sigs > PNFS_BLOCK_MAX_UUIDS) {
+			dprintk("Bad signature count: %d\n", b->simple.nr_sigs);
 			return -EIO;
 		}
 
@@ -105,7 +105,12 @@ nfs4_block_decode_volume(struct xdr_stream *xdr, struct pnfs_block_volume *b)
 		p = xdr_inline_decode(xdr, 4);
 		if (!p)
 			return -EIO;
+
 		b->concat.volumes_count = be32_to_cpup(p++);
+		if (b->concat.volumes_count > PNFS_BLOCK_MAX_DEVICES) {
+			dprintk("Too many volumes: %d\n", b->concat.volumes_count);
+			return -EIO;
+		}
 
 		p = xdr_inline_decode(xdr, b->concat.volumes_count * 4);
 		if (!p)
@@ -117,8 +122,13 @@ nfs4_block_decode_volume(struct xdr_stream *xdr, struct pnfs_block_volume *b)
 		p = xdr_inline_decode(xdr, 8 + 4);
 		if (!p)
 			return -EIO;
+
 		p = xdr_decode_hyper(p, &b->stripe.chunk_size);
 		b->stripe.volumes_count = be32_to_cpup(p++);
+		if (b->stripe.volumes_count > PNFS_BLOCK_MAX_DEVICES) {
+			dprintk("Too many volumes: %d\n", b->stripe.volumes_count);
+			return -EIO;
+		}
 
 		p = xdr_inline_decode(xdr, b->stripe.volumes_count * 4);
 		if (!p)