diff options
author | Chuck Lever <chuck.lever@oracle.com> | 2019-11-15 08:39:07 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-17 20:08:38 +0100 |
commit | af075ec9c1670e9f43c2b3163873780996243493 (patch) | |
tree | 7fc58e746f5fb81345c3472943dab8eba9f65b49 | |
parent | 11c3ef9073a06f849e4ed87db6995107157ae0ed (diff) | |
download | linux-stable-af075ec9c1670e9f43c2b3163873780996243493.tar.gz linux-stable-af075ec9c1670e9f43c2b3163873780996243493.tar.bz2 linux-stable-af075ec9c1670e9f43c2b3163873780996243493.zip |
SUNRPC: Fix another issue with MIC buffer space
[ Upstream commit e8d70b321ecc9b23d09b8df63e38a2f73160c209 ]
xdr_shrink_pagelen() BUG's when @len is larger than buf->page_len.
This can happen when xdr_buf_read_mic() is given an xdr_buf with
a small page array (like, only a few bytes).
Instead, just cap the number of bytes that xdr_shrink_pagelen()
will move.
Fixes: 5f1bc39979d ("SUNRPC: Fix buffer handling of GSS MIC ... ")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r-- | net/sunrpc/xdr.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c index b256806d69cd..db116fc8ff44 100644 --- a/net/sunrpc/xdr.c +++ b/net/sunrpc/xdr.c @@ -436,13 +436,12 @@ xdr_shrink_bufhead(struct xdr_buf *buf, size_t len) } /** - * xdr_shrink_pagelen + * xdr_shrink_pagelen - shrinks buf->pages by up to @len bytes * @buf: xdr_buf * @len: bytes to remove from buf->pages * - * Shrinks XDR buffer's page array buf->pages by - * 'len' bytes. The extra data is not lost, but is instead - * moved into the tail. + * The extra data is not lost, but is instead moved into buf->tail. + * Returns the actual number of bytes moved. */ static unsigned int xdr_shrink_pagelen(struct xdr_buf *buf, size_t len) @@ -455,8 +454,8 @@ xdr_shrink_pagelen(struct xdr_buf *buf, size_t len) result = 0; tail = buf->tail; - BUG_ON (len > pglen); - + if (len > buf->page_len) + len = buf-> page_len; tailbuf_len = buf->buflen - buf->head->iov_len - buf->page_len; /* Shift the tail first */ |