Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9512a16b authored by J. Bruce Fields's avatar J. Bruce Fields
Browse files

nfsd: Revert "nfsd: check for oversized NFSv2/v3 arguments" 



This reverts commit 51f56777 "nfsd: check for oversized NFSv2/v3
arguments", which breaks support for NFSv3 ACLs.

That patch was actually an earlier draft of a fix for the problem that
was eventually fixed by e6838a29 "nfsd: check for oversized NFSv2/v3
arguments".  But somehow I accidentally left this earlier draft in the
branch that was part of my 2.12 pull request.

Reported-by: default avatarEryu Guan <eguan@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
parent 2ea659a9

fs/nfsd/nfs3xdr.c

+6 −17
Original line number Diff line number Diff line
@@ -334,11 +334,8 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, 
	if (!p)

		return 0;

	p = xdr_decode_hyper(p, &args->offset);

	args->count = ntohl(*p++);



	if (!xdr_argsize_check(rqstp, p))

		return 0;



	args->count = ntohl(*p++);

	len = min(args->count, max_blocksize);



	/* set up the kvec */
@@ -352,7 +349,7 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, 
		v++;

	}

	args->vlen = v;

	return 1;

	return xdr_argsize_check(rqstp, p);

}



int
@@ -544,11 +541,9 @@ nfs3svc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p, 
	p = decode_fh(p, &args->fh);

	if (!p)

		return 0;

	if (!xdr_argsize_check(rqstp, p))

		return 0;

	args->buffer = page_address(*(rqstp->rq_next_page++));



	return 1;

	return xdr_argsize_check(rqstp, p);

}



int
@@ -574,14 +569,10 @@ nfs3svc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p, 
	args->verf   = p; p += 2;

	args->dircount = ~0;

	args->count  = ntohl(*p++);



	if (!xdr_argsize_check(rqstp, p))

		return 0;



	args->count  = min_t(u32, args->count, PAGE_SIZE);

	args->buffer = page_address(*(rqstp->rq_next_page++));



	return 1;

	return xdr_argsize_check(rqstp, p);

}



int
@@ -599,9 +590,6 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p, 
	args->dircount = ntohl(*p++);

	args->count    = ntohl(*p++);



	if (!xdr_argsize_check(rqstp, p))

		return 0;



	len = args->count = min(args->count, max_blocksize);

	while (len > 0) {

		struct page *p = *(rqstp->rq_next_page++);
@@ -609,7 +597,8 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p, 
			args->buffer = page_address(p);

		len -= PAGE_SIZE;

	}

	return 1;



	return xdr_argsize_check(rqstp, p);

}



int

fs/nfsd/nfsxdr.c

+3 −10
Original line number Diff line number Diff line
@@ -257,9 +257,6 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, 
	len = args->count     = ntohl(*p++);

	p++; /* totalcount - unused */



	if (!xdr_argsize_check(rqstp, p))

		return 0;



	len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2);



	/* set up somewhere to store response.
@@ -275,7 +272,7 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, 
		v++;

	}

	args->vlen = v;

	return 1;

	return xdr_argsize_check(rqstp, p);

}



int
@@ -365,11 +362,9 @@ nfssvc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p, struct nfsd_readli 
	p = decode_fh(p, &args->fh);

	if (!p)

		return 0;

	if (!xdr_argsize_check(rqstp, p))

		return 0;

	args->buffer = page_address(*(rqstp->rq_next_page++));



	return 1;

	return xdr_argsize_check(rqstp, p);

}



int
@@ -407,11 +402,9 @@ nfssvc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p, 
	args->cookie = ntohl(*p++);

	args->count  = ntohl(*p++);

	args->count  = min_t(u32, args->count, PAGE_SIZE);

	if (!xdr_argsize_check(rqstp, p))

		return 0;

	args->buffer = page_address(*(rqstp->rq_next_page++));



	return 1;

	return xdr_argsize_check(rqstp, p);

}



/*

include/linux/sunrpc/svc.h

+2 −1
Original line number Diff line number Diff line
@@ -336,7 +336,8 @@ xdr_argsize_check(struct svc_rqst *rqstp, __be32 *p) 
{

	char *cp = (char *)p;

	struct kvec *vec = &rqstp->rq_arg.head[0];

	return cp == (char *)vec->iov_base + vec->iov_len;

	return cp >= (char*)vec->iov_base

		&& cp <= (char*)vec->iov_base + vec->iov_len;

}



static inline int