Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2151418pxb; Thu, 4 Nov 2021 14:59:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzi5KyFm5MPjCmJErfmpzx3HQp9vf5EdDtfGK6FlUAvNXVy/DgsfYtoDpb1SOK/BK5cEgUj X-Received: by 2002:a5d:9ed6:: with SMTP id a22mr38862015ioe.167.1636063194582; Thu, 04 Nov 2021 14:59:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1636063194; cv=none; d=google.com; s=arc-20160816; b=oVw/W6TzotS1r8NOifK2kxO1S1sG7Kz6B+vVT4I7YB4YPTGrlDSYFOCvJSGej+lBMm im24JqGE7h+4YzxR0QyLVGCgPfwdyrAROpjybm5NDeDfMFVaUyIz0uV01AH0m3D8MJH9 oAy3XWZ3lSw5vg8VB3Jt5Q3syG4TQXCrbZ+EM3n1jJWKRlUZBAOQKHFwtat08Zd2SN1I s7vwc6/o2x6Yx/H/Ka2rkwSrt0N+J1vXOvgDHj4L/ZdvCZXTepu5v0Ubxs+ak1QH8o6Z 6dgvN2VdRYi2FhRbbKxlN1MfUzhMk+iOpXiUJ2y4OHpSTSDBCeb2VAALXOeROzOvLvpb 0g6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=+P1VMATDX9m+IpU40oNeru4ToWIR7kZQMr/9fGQl3yg=; b=BeF8IP+QMUaD5DrZBqXyB5i9ZtLVtZ1D73qxeHPI32JXFNQeSZz3mwgtkwEaIm+d1z 5nHtZrw05D1qR5NZ1obZRdHxdgCKjNZq029CrcubRKvlLHBk0PB6Ozu/6GoCR3HjUuCk RGkWmLDrKBxOuZ6Agy2acEcP3X2leV1rSXBlj7972O3d3Mvn+LuXWZdQV7V/n4Fbf/bd btuO4Etp/4zvYNdKh1RnBtSQd+VEdrwLQnUtvSVxFOFS8fgrvfkMrYfBGn6iqN0Gy16P YoA8xF0zkLLRAPuu1XDbEwCuoNWcnCuCjPeLmiz8gRgz/mj6B/H8Ed6Uks2kUUbakEku QLew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pALSZ8+t; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o8si15024447iov.2.2021.11.04.14.59.26; Thu, 04 Nov 2021 14:59:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pALSZ8+t; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231928AbhKDWBl (ORCPT + 99 others); Thu, 4 Nov 2021 18:01:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:39996 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231643AbhKDWBl (ORCPT ); Thu, 4 Nov 2021 18:01:41 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A885361244; Thu, 4 Nov 2021 21:59:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1636063142; bh=Pd/1bFjP2FDx/XaL++gU3HIItLHVOI/Pj5Sji1vON/c=; h=From:To:Cc:Subject:Date:From; b=pALSZ8+t/4YP+NTu0KGutFQYZuTAmUgYYcofpKbYRnRbUqB48HWApRp6oLVpiUuML +3KivH/hSvs3Jgx0WysERlxO8ZRvplSiVUC2eEFE5L3v9iaR1VJThoXZbOWP17o8FV ADY53eC2KNSt1iWEKxslXIaBnW0NPACFlFbJwg+ZZo30Wc3wME+/K3d04AvITCOq+o sDU0F6aAb19a9v4fsaBGc4HfEtDPxLDABZXxTSi7w9+0RoCGte9yuh8uhYe+vTREVh VhVR3MsghSHKBUV2Dp3vkxFQhd76QQJafs52oYLgM89g509fEKq0b6kcPsASUI9HI4 r/owj8F3Uwj2w== From: trondmy@kernel.org To: rtm@csail.mit.edu Cc: linux-nfs@vger.kernel.org Subject: [PATCH 1/2] NFSv4: Ensure decode_compound_hdr() sanity checks the tag Date: Thu, 4 Nov 2021 17:52:55 -0400 Message-Id: <20211104215256.408315-1-trondmy@kernel.org> X-Mailer: git-send-email 2.33.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Trond Myklebust The server is supposed to return the same tag that the client sends in the outgoing RPC call, but we should still sanity check the length just in case. Reported-by: Signed-off-by: Trond Myklebust --- fs/nfs/nfs4xdr.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c index 1e3b1db7afa9..fa01edf19015 100644 --- a/fs/nfs/nfs4xdr.c +++ b/fs/nfs/nfs4xdr.c @@ -3168,20 +3168,23 @@ static int decode_opaque_inline(struct xdr_stream *xdr, unsigned int *len, char static int decode_compound_hdr(struct xdr_stream *xdr, struct compound_hdr *hdr) { - __be32 *p; + ssize_t ret; + void *ptr; + u32 tmp; - p = xdr_inline_decode(xdr, 8); - if (unlikely(!p)) + if (xdr_stream_decode_u32(xdr, &tmp) < 0) return -EIO; - hdr->status = be32_to_cpup(p++); - hdr->taglen = be32_to_cpup(p); + hdr->status = tmp; - p = xdr_inline_decode(xdr, hdr->taglen + 4); - if (unlikely(!p)) + ret = xdr_stream_decode_opaque_inline(xdr, &ptr, NFS4_OPAQUE_LIMIT); + if (ret < 0) + return -EIO; + hdr->taglen = ret; + hdr->tag = ptr; + + if (xdr_stream_decode_u32(xdr, &tmp) < 0) return -EIO; - hdr->tag = (char *)p; - p += XDR_QUADLEN(hdr->taglen); - hdr->nops = be32_to_cpup(p); + hdr->nops = tmp; if (unlikely(hdr->nops < 1)) return nfs4_stat_to_errno(hdr->status); return 0; -- 2.33.1