diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2022-09-01 15:09:59 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-10-21 12:38:01 +0200 |
| commit | 47e035f42ec6c1ec1f20705eed8b3d99092510aa (patch) | |
| tree | 348cd682453cc441fa472ad99821bf9ffeb2f053 /include | |
| parent | 352cc3597b1672ec5a1de6557c2f1055f46eb5b5 (diff) | |
| download | linux-stable-47e035f42ec6c1ec1f20705eed8b3d99092510aa.tar.gz linux-stable-47e035f42ec6c1ec1f20705eed8b3d99092510aa.tar.bz2 linux-stable-47e035f42ec6c1ec1f20705eed8b3d99092510aa.zip | |
SUNRPC: Fix svcxdr_init_encode's buflen calculation
[ Upstream commit 1242a87da0d8cd2a428e96ca68e7ea899b0f4624 ]
Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries")
added an explicit computation of the remaining length in the rq_res
XDR buffer.
The computation appears to suffer from an "off-by-one" bug. Because
buflen is too large by one page, XDR encoding can run off the end of
the send buffer by eventually trying to use the struct page address
in rq_page_end, which always contains NULL.
Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/sunrpc/svc.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h index 5a830b66f059..0ca8a8ffb47e 100644 --- a/include/linux/sunrpc/svc.h +++ b/include/linux/sunrpc/svc.h @@ -587,7 +587,7 @@ static inline void svcxdr_init_encode(struct svc_rqst *rqstp) xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack; buf->len = resv->iov_len; xdr->page_ptr = buf->pages - 1; - buf->buflen = PAGE_SIZE * (1 + rqstp->rq_page_end - buf->pages); + buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages); buf->buflen -= rqstp->rq_auth_slack; xdr->rqst = NULL; } |