• J. Bruce Fields's avatar
    nfsd: check for oversized NFSv2/v3 arguments · e6838a29
    J. Bruce Fields authored
    A client can append random data to the end of an NFSv2 or NFSv3 RPC call
    without our complaining; we'll just stop parsing at the end of the
    expected data and ignore the rest.
    
    Encoded arguments and replies are stored together in an array of pages,
    and if a call is too large it could leave inadequate space for the
    reply.  This is normally OK because NFS RPC's typically have either
    short arguments and long replies (like READ) or long arguments and short
    replies (like WRITE).  But a client that sends an incorrectly long reply
    can violate those assumptions.  This was observed to cause crashes.
    
    Also, several operations increment rq_next_page in the decode routine
    before checking the argument size, which can leave rq_next_page pointing
    well past the end of the page array, causing trouble later in
    svc_free_pages.
    
    So, following a suggestion from Neil Brown, add a central check to
    enforce our expectation that no NFSv2/v3 call has both a large call and
    a large reply.
    
    As followup we may also want to rewrite the encoding routines to check
    more carefully that they aren't running off the end of the page array.
    
    We may also consider rejecting calls that have any extra garbage
    appended.  That would be safer, and within our rights by spec, but given
    the age of our server and the NFS protocol, and the fact that we've
    never enforced this before, we may need to balance that against the
    possibility of breaking some oddball client.
    Reported-by: default avatarTuomas Haanpää <thaan@synopsys.com>
    Reported-by: default avatarAri Kauppi <ari@synopsys.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: default avatarNeilBrown <neilb@suse.com>
    Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    e6838a29
nfssvc.c 21.3 KB