NFSD: fix bad length checking for backchannel (8a891633) · Commits · e / devices / android_kernel_xiaomi_markw

fs/nfsd/nfs4state.c

+7 −2

Original line number	Original line	Diff line number	Diff line
	@@ -1853,6 +1853,11 @@ static __be32 check_forechannel_attrs(struct nfsd4_channel_attrs *ca, struct nfs
	return nfs_ok;		return nfs_ok;
	}		}

			#define NFSD_CB_MAX_REQ_SZ ((NFS4_enc_cb_recall_sz + \
			RPC_MAX_HEADER_WITH_AUTH) * sizeof(__be32))
			#define NFSD_CB_MAX_RESP_SZ ((NFS4_dec_cb_recall_sz + \
			RPC_MAX_REPHEADER_WITH_AUTH) * sizeof(__be32))

	static __be32 check_backchannel_attrs(struct nfsd4_channel_attrs *ca)		static __be32 check_backchannel_attrs(struct nfsd4_channel_attrs *ca)
	{		{
	ca->headerpadsz = 0;		ca->headerpadsz = 0;
	@@ -1863,9 +1868,9 @@ static __be32 check_backchannel_attrs(struct nfsd4_channel_attrs *ca)
	* less than 1k. Tighten up this estimate in the unlikely event		* less than 1k. Tighten up this estimate in the unlikely event
	* it turns out to be a problem for some client:		* it turns out to be a problem for some client:
	*/		*/
	if (ca->maxreq_sz < NFS4_enc_cb_recall_sz + RPC_MAX_HEADER_WITH_AUTH)		if (ca->maxreq_sz < NFSD_CB_MAX_REQ_SZ)
	return nfserr_toosmall;		return nfserr_toosmall;
	if (ca->maxresp_sz < NFS4_dec_cb_recall_sz + RPC_MAX_REPHEADER_WITH_AUTH)		if (ca->maxresp_sz < NFSD_CB_MAX_RESP_SZ)
	return nfserr_toosmall;		return nfserr_toosmall;
	ca->maxresp_cached = 0;		ca->maxresp_cached = 0;
	if (ca->maxops < 2)		if (ca->maxops < 2)