To prevent page* buffer overrun that breaks svc_rqst,
though I do not know sk_datalen can actually become so large.
Signed-off-by: Seiichi Ikarashi <[email protected]>
---
net/sunrpc/svcsock.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index dadfec6..7532dfa 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -940,6 +940,9 @@ static unsigned int svc_tcp_restore_pages(struct svc_sock *svsk, struct svc_rqst
return 0;
len = svsk->sk_datalen;
npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ WARN_ON_ONCE(npages > RPCSVC_MAXPAGES);
+ if (npages > RPCSVC_MAXPAGES)
+ npages = RPCSVC_MAXPAGES;
for (i = 0; i < npages; i++) {
if (rqstp->rq_pages[i] != NULL)
put_page(rqstp->rq_pages[i]);
@@ -959,6 +962,9 @@ static void svc_tcp_save_pages(struct svc_sock *svsk, struct svc_rqst *rqstp)
return;
len = svsk->sk_datalen;
npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ WARN_ON_ONCE(npages > RPCSVC_MAXPAGES);
+ if (npages > RPCSVC_MAXPAGES)
+ npages = RPCSVC_MAXPAGES;
for (i = 0; i < npages; i++) {
svsk->sk_pages[i] = rqstp->rq_pages[i];
rqstp->rq_pages[i] = NULL;
@@ -973,6 +979,9 @@ static void svc_tcp_clear_pages(struct svc_sock *svsk)
goto out;
len = svsk->sk_datalen;
npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ WARN_ON_ONCE(npages > RPCSVC_MAXPAGES);
+ if (npages > RPCSVC_MAXPAGES)
+ npages = RPCSVC_MAXPAGES;
for (i = 0; i < npages; i++) {
if (svsk->sk_pages[i] == NULL) {
WARN_ON_ONCE(1);