forked from Minki/linux
SUNRPC: Don't decode beyond the end of the RPC reply message
Now that xdr_inline_decode() will automatically cross into the page buffers, we need to ensure that it doesn't exceed the total reply message length. This patch sets up a counter that tracks the number of words remaining in the reply message, and ensures that xdr_inline_decode, xdr_read_pages and xdr_enter_page respect the end of message boundary. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
This commit is contained in:
Trond Myklebust
parent
1537693cea
commit
bfeea1dc1c
@ -205,6 +205,7 @@ struct xdr_stream {
|
|||||||
struct kvec *iov; /* pointer to the current kvec */
|
struct kvec *iov; /* pointer to the current kvec */
|
||||||
struct kvec scratch; /* Scratch buffer */
|
struct kvec scratch; /* Scratch buffer */
|
||||||
struct page **page_ptr; /* pointer to the current page */
|
struct page **page_ptr; /* pointer to the current page */
|
||||||
|
unsigned int nwords; /* Remaining decode buffer length */
|
||||||
};
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
@ -630,12 +630,15 @@ void xdr_init_decode(struct xdr_stream *xdr, struct xdr_buf *buf, __be32 *p)
|
|||||||
xdr->buf = buf;
|
xdr->buf = buf;
|
||||||
xdr->scratch.iov_base = NULL;
|
xdr->scratch.iov_base = NULL;
|
||||||
xdr->scratch.iov_len = 0;
|
xdr->scratch.iov_len = 0;
|
||||||
|
xdr->nwords = XDR_QUADLEN(buf->len);
|
||||||
if (buf->head[0].iov_len != 0)
|
if (buf->head[0].iov_len != 0)
|
||||||
xdr_set_iov(xdr, buf->head, buf->len);
|
xdr_set_iov(xdr, buf->head, buf->len);
|
||||||
else if (buf->page_len != 0)
|
else if (buf->page_len != 0)
|
||||||
xdr_set_page_base(xdr, 0, buf->len);
|
xdr_set_page_base(xdr, 0, buf->len);
|
||||||
if (p != NULL && p > xdr->p && xdr->end >= p)
|
if (p != NULL && p > xdr->p && xdr->end >= p) {
|
||||||
|
xdr->nwords -= p - xdr->p;
|
||||||
xdr->p = p;
|
xdr->p = p;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(xdr_init_decode);
|
EXPORT_SYMBOL_GPL(xdr_init_decode);
|
||||||
|
|
||||||
@ -660,12 +663,14 @@ EXPORT_SYMBOL_GPL(xdr_init_decode_pages);
|
|||||||
|
|
||||||
static __be32 * __xdr_inline_decode(struct xdr_stream *xdr, size_t nbytes)
|
static __be32 * __xdr_inline_decode(struct xdr_stream *xdr, size_t nbytes)
|
||||||
{
|
{
|
||||||
|
unsigned int nwords = XDR_QUADLEN(nbytes);
|
||||||
__be32 *p = xdr->p;
|
__be32 *p = xdr->p;
|
||||||
__be32 *q = p + XDR_QUADLEN(nbytes);
|
__be32 *q = p + nwords;
|
||||||
|
|
||||||
if (unlikely(q > xdr->end || q < p))
|
if (unlikely(nwords > xdr->nwords || q > xdr->end || q < p))
|
||||||
return NULL;
|
return NULL;
|
||||||
xdr->p = q;
|
xdr->p = q;
|
||||||
|
xdr->nwords -= nwords;
|
||||||
return p;
|
return p;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -746,9 +751,16 @@ void xdr_read_pages(struct xdr_stream *xdr, unsigned int len)
|
|||||||
struct xdr_buf *buf = xdr->buf;
|
struct xdr_buf *buf = xdr->buf;
|
||||||
struct kvec *iov;
|
struct kvec *iov;
|
||||||
ssize_t shift;
|
ssize_t shift;
|
||||||
|
unsigned int nwords = XDR_QUADLEN(len);
|
||||||
unsigned int end;
|
unsigned int end;
|
||||||
int padding;
|
int padding;
|
||||||
|
|
||||||
|
if (xdr->nwords == 0)
|
||||||
|
return;
|
||||||
|
if (nwords > xdr->nwords) {
|
||||||
|
nwords = xdr->nwords;
|
||||||
|
len = nwords << 2;
|
||||||
|
}
|
||||||
/* Realign pages to current pointer position */
|
/* Realign pages to current pointer position */
|
||||||
iov = buf->head;
|
iov = buf->head;
|
||||||
shift = iov->iov_len + (char *)iov->iov_base - (char *)xdr->p;
|
shift = iov->iov_len + (char *)iov->iov_base - (char *)xdr->p;
|
||||||
@ -758,15 +770,15 @@ void xdr_read_pages(struct xdr_stream *xdr, unsigned int len)
|
|||||||
/* Truncate page data and move it into the tail */
|
/* Truncate page data and move it into the tail */
|
||||||
if (buf->page_len > len)
|
if (buf->page_len > len)
|
||||||
xdr_shrink_pagelen(buf, buf->page_len - len);
|
xdr_shrink_pagelen(buf, buf->page_len - len);
|
||||||
padding = (XDR_QUADLEN(len) << 2) - len;
|
padding = (nwords << 2) - len;
|
||||||
xdr->iov = iov = buf->tail;
|
xdr->iov = iov = buf->tail;
|
||||||
/* Compute remaining message length. */
|
/* Compute remaining message length. */
|
||||||
end = iov->iov_len;
|
end = iov->iov_len;
|
||||||
shift = buf->buflen - buf->len;
|
shift = buf->buflen - buf->len;
|
||||||
if (shift < end)
|
if (end > shift + padding)
|
||||||
end -= shift;
|
end -= shift;
|
||||||
else if (shift > 0)
|
else
|
||||||
end = 0;
|
end = padding;
|
||||||
/*
|
/*
|
||||||
* Position current pointer at beginning of tail, and
|
* Position current pointer at beginning of tail, and
|
||||||
* set remaining message length.
|
* set remaining message length.
|
||||||
@ -774,6 +786,7 @@ void xdr_read_pages(struct xdr_stream *xdr, unsigned int len)
|
|||||||
xdr->p = (__be32 *)((char *)iov->iov_base + padding);
|
xdr->p = (__be32 *)((char *)iov->iov_base + padding);
|
||||||
xdr->end = (__be32 *)((char *)iov->iov_base + end);
|
xdr->end = (__be32 *)((char *)iov->iov_base + end);
|
||||||
xdr->page_ptr = NULL;
|
xdr->page_ptr = NULL;
|
||||||
|
xdr->nwords = XDR_QUADLEN(end - padding);
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(xdr_read_pages);
|
EXPORT_SYMBOL_GPL(xdr_read_pages);
|
||||||
|
|
||||||
@ -795,6 +808,7 @@ void xdr_enter_page(struct xdr_stream *xdr, unsigned int len)
|
|||||||
* set remaining message length.
|
* set remaining message length.
|
||||||
*/
|
*/
|
||||||
xdr_set_page_base(xdr, 0, len);
|
xdr_set_page_base(xdr, 0, len);
|
||||||
|
xdr->nwords += XDR_QUADLEN(xdr->buf->page_len);
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(xdr_enter_page);
|
EXPORT_SYMBOL_GPL(xdr_enter_page);
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user