tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
The function needs to check the minimal filehandle length before it can
access the embedded filehandle.
Reported-by: zhangjian <zhangjian496@huawei.com>
Fixes: 20fa19027286 ("nfs: add export operations")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+9
-2
+9
-2
fs/nfs/export.c
+9
-2
fs/nfs/export.c
···
66
66
{
67
67
struct nfs_fattr *fattr = NULL;
68
68
struct nfs_fh *server_fh = nfs_exp_embedfh(fid->raw);
69
-
size_t fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
69
+
size_t fh_size = offsetof(struct nfs_fh, data);
70
70
const struct nfs_rpc_ops *rpc_ops;
71
71
struct dentry *dentry;
72
72
struct inode *inode;
73
-
int len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
73
+
int len = EMBED_FH_OFF;
74
74
u32 *p = fid->raw;
75
75
int ret;
76
76
77
+
/* Initial check of bounds */
78
+
if (fh_len < len + XDR_QUADLEN(fh_size) ||
79
+
fh_len > XDR_QUADLEN(NFS_MAXFHSIZE))
80
+
return NULL;
81
+
/* Calculate embedded filehandle size */
82
+
fh_size += server_fh->size;
83
+
len += XDR_QUADLEN(fh_size);
77
84
/* NULL translates to ESTALE */
78
85
if (fh_len < len || fh_type != len)
79
86
return NULL;