Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp1085247rwe; Thu, 1 Sep 2022 12:15:11 -0700 (PDT) X-Google-Smtp-Source: AA6agR5PitLBxVblwf6y66iuKIBvij4F4cpk5wmyxrEdz5Ogu8d5F05QcOCaR1yxLfjY2f2+9Dv8 X-Received: by 2002:a05:6402:2789:b0:440:44b6:849b with SMTP id b9-20020a056402278900b0044044b6849bmr31009949ede.387.1662059711138; Thu, 01 Sep 2022 12:15:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662059711; cv=none; d=google.com; s=arc-20160816; b=W1pGH2pjv75ucUHqjG/Xh/UFaBf2wRkArCzGr9ryasqP2jFtrhfzJUf6k4SCPY2rL6 MI9xaQ6172GSmQO/IZvbwznj/0z+jy8OfkcO4bN90YDowZkAlgvNDlZZnDS9KC0xPPF7 GZPsRN0Kd5bfIRuOCNYmWipP4G4/C7DcI/idWlapKBhhLK9Uy3KfIypZDbN7N7dEHhyk OtPC6X0nDJEuUX9l15sG8tQFriwxlHDoXl+9jtvfS1p6SYmOMfehmcXPyZUA+6Cr8VIA QoWP3Hz+RIKv+ek8i67JY+z3BJIHpAPE61p0+CyVwUE07MX0J/52npHz8BNl8kQxS0qk cZTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:to:from:subject; bh=rmoqJZz+x4KBU+Vr9BLI5bVKbGvaLB+OydCUcuQx8Us=; b=KuL54QQ6jYBGPUcQMuhuw3WNQKn+GRVglbdmzT6GPgmDB5J6Am56HssCxMoPuR2b9O pDI76WEfXThVa20WC8sPCnjjm16X1SChvys00wlIJhyJytHiCS6l9BhChEhiRFzOaPj6 AAcQuPL2i93kjV4iji6izeB3U/CBa7rKGL5K6oarGUOUzHmpEK66NfB59EnvRUcTUDw9 2KnDGrqqt62uhzRo+tqvzRGYf2BFqOBvInEfjOPkYJP9wJIyZI7c554Dao7YL5ahBPFi 2J6m+Wu07Xat+0blVfUb+/1tGbeDHb7jonWs8VTJuW7a5qjNCsqoTTtleObylAkWNvLs Qm1A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id du21-20020a17090772d500b006ff49b183e9si3884ejc.971.2022.09.01.12.14.46; Thu, 01 Sep 2022 12:15:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232874AbiIATK1 (ORCPT + 99 others); Thu, 1 Sep 2022 15:10:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47178 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233639AbiIATKX (ORCPT ); Thu, 1 Sep 2022 15:10:23 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5C86739B80 for ; Thu, 1 Sep 2022 12:10:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 04FDCB828EC for ; Thu, 1 Sep 2022 19:10:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8420FC433D6; Thu, 1 Sep 2022 19:10:19 +0000 (UTC) Subject: [PATCH v3 5/6] NFSD: Protect against send buffer overflow in NFSv2 READ From: Chuck Lever To: linux-nfs@vger.kernel.org Date: Thu, 01 Sep 2022 15:10:18 -0400 Message-ID: <166205941847.1435.15080240781458940273.stgit@manet.1015granger.net> In-Reply-To: <166204973526.1435.6068003336048840051.stgit@manet.1015granger.net> References: <166204973526.1435.6068003336048840051.stgit@manet.1015granger.net> User-Agent: StGit/1.5.dev2+g9ce680a5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there are no cases where an operation needs a large RPC Call message and a large RPC Reply at the same time. Once an RPC Call has been received, svc_process() updates svc_rqst::rq_res to describe the part of rq_pages that can be used for constructing the Reply. This means that the send buffer (rq_res) shrinks when the received RPC record containing the RPC Call is large. A client can force this shrinkage on TCP by sending a correctly- formed RPC Call header contained in an RPC record that is excessively large. The full maximum payload size cannot be constructed in that case. Cc: Signed-off-by: Chuck Lever --- fs/nfsd/nfsproc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c index ddb1902c0a18..4b19cc727ea5 100644 --- a/fs/nfsd/nfsproc.c +++ b/fs/nfsd/nfsproc.c @@ -185,6 +185,7 @@ nfsd_proc_read(struct svc_rqst *rqstp) argp->count, argp->offset); argp->count = min_t(u32, argp->count, NFSSVC_MAXBLKSIZE_V2); + argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen); v = 0; len = argp->count;