diff options
| author | Dan Carpenter <dan.carpenter@linaro.org> | 2024-05-09 13:48:28 +0300 |
|---|---|---|
| committer | Chuck Lever <chuck.lever@oracle.com> | 2024-07-08 21:10:01 +0300 |
| commit | dbc834e5db447bcc5d77fa76a46897c4f206a5a4 (patch) | |
| tree | 6852021d0fd8dacb1e5b5953b12a8f0ce5269a13 /fs/nfsd | |
| parent | 256abd8e550ce977b728be79a74e1729438b4948 (diff) | |
| download | linux-dbc834e5db447bcc5d77fa76a46897c4f206a5a4.tar.xz | |
NFSD: harden svcxdr_dupstr() and svcxdr_tmpalloc() against integer overflows
These lengths come from xdr_stream_decode_u32() and so we should be a
bit careful with them. Use size_add() and struct_size() to avoid
integer overflows. Saving size_add()/struct_size() results to a u32 is
unsafe because it truncates away the high bits.
Also generally storing sizes in longs is safer. Most systems these days
use 64 bit CPUs. It's harder for an addition to overflow 64 bits than
it is to overflow 32 bits. Also functions like vmalloc() can
successfully allocate UINT_MAX bytes, but nothing can allocate ULONG_MAX
bytes.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'fs/nfsd')
| -rw-r--r-- | fs/nfsd/nfs4xdr.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index c7bfd2180e3f..42b41d55d4ed 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -118,11 +118,11 @@ static int zero_clientid(clientid_t *clid) * operation described in @argp finishes. */ static void * -svcxdr_tmpalloc(struct nfsd4_compoundargs *argp, u32 len) +svcxdr_tmpalloc(struct nfsd4_compoundargs *argp, size_t len) { struct svcxdr_tmpbuf *tb; - tb = kmalloc(sizeof(*tb) + len, GFP_KERNEL); + tb = kmalloc(struct_size(tb, buf, len), GFP_KERNEL); if (!tb) return NULL; tb->next = argp->to_free; @@ -138,9 +138,9 @@ svcxdr_tmpalloc(struct nfsd4_compoundargs *argp, u32 len) * buffer might end on a page boundary. */ static char * -svcxdr_dupstr(struct nfsd4_compoundargs *argp, void *buf, u32 len) +svcxdr_dupstr(struct nfsd4_compoundargs *argp, void *buf, size_t len) { - char *p = svcxdr_tmpalloc(argp, len + 1); + char *p = svcxdr_tmpalloc(argp, size_add(len, 1)); if (!p) return NULL; @@ -150,7 +150,7 @@ svcxdr_dupstr(struct nfsd4_compoundargs *argp, void *buf, u32 len) } static void * -svcxdr_savemem(struct nfsd4_compoundargs *argp, __be32 *p, u32 len) +svcxdr_savemem(struct nfsd4_compoundargs *argp, __be32 *p, size_t len) { __be32 *tmp; @@ -2146,7 +2146,7 @@ nfsd4_decode_clone(struct nfsd4_compoundargs *argp, union nfsd4_op_u *u) */ static __be32 nfsd4_vbuf_from_vector(struct nfsd4_compoundargs *argp, struct xdr_buf *xdr, - char **bufp, u32 buflen) + char **bufp, size_t buflen) { struct page **pages = xdr->pages; struct kvec *head = xdr->head; |