FreeBSD Bugzilla – Attachment 230070 Details for
Bug 260293
big counts in LAYOUTRETURN can cause NFS v4 nfsrv_flexlayouterr() to page-fault
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
check against maxcnt when parsing a flex file error reply
crash10.patch (text/plain), 1021 bytes, created by
Rick Macklem
on 2021-12-13 05:30:46 UTC
(
hide
)
Description:
check against maxcnt when parsing a flex file error reply
Filename:
MIME Type:
Creator:
Rick Macklem
Created:
2021-12-13 05:30:46 UTC
Size:
1021 bytes
patch
obsolete
>--- sys/fs/nfsserver/nfs_nfsdstate.c.crash10 2021-12-12 19:58:30.845509000 -0800 >+++ sys/fs/nfsserver/nfs_nfsdstate.c 2021-12-12 20:22:33.035845000 -0800 >@@ -6994,14 +6994,25 @@ nfsrv_flexlayouterr(struct nfsrv_descript *nd, uint32_ > char devid[NFSX_V4DEVICEID]; > > tl = layp; >- cnt = fxdr_unsigned(int, *tl++); >+ maxcnt -= NFSX_UNSIGNED; >+ if (maxcnt > 0) >+ cnt = fxdr_unsigned(int, *tl++); >+ else >+ cnt = 0; > NFSD_DEBUG(4, "flexlayouterr cnt=%d\n", cnt); > for (i = 0; i < cnt; i++) { >+ maxcnt -= NFSX_STATEID + 2 * NFSX_HYPER + >+ NFSX_UNSIGNED; >+ if (maxcnt <= 0) >+ break; > /* Skip offset, length and stateid for now. */ > tl += (4 + NFSX_STATEID / NFSX_UNSIGNED); > errcnt = fxdr_unsigned(int, *tl++); > NFSD_DEBUG(4, "flexlayouterr errcnt=%d\n", errcnt); > for (j = 0; j < errcnt; j++) { >+ maxcnt -= NFSX_V4DEVICEID + 2 * NFSX_UNSIGNED; >+ if (maxcnt < 0) >+ break; > NFSBCOPY(tl, devid, NFSX_V4DEVICEID); > tl += (NFSX_V4DEVICEID / NFSX_UNSIGNED); > stat = fxdr_unsigned(int, *tl++);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=230070">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 260293
:
229996
| 230070