diff options
author | Chuck Lever <chuck.lever@oracle.com> | 2015-02-12 18:14:51 +0300 |
---|---|---|
committer | Anna Schumaker <Anna.Schumaker@Netapp.com> | 2015-02-24 00:54:04 +0300 |
commit | 9b1dcbc8cf4679ecf090b343ac31bda6e55ddabe (patch) | |
tree | a79e05a22da80e9ffb0318e215a4fdccb0a7493c /fs/sync.c | |
parent | b625a61698619c7af652de2701a2fb17c5c5d66e (diff) | |
download | linux-9b1dcbc8cf4679ecf090b343ac31bda6e55ddabe.tar.xz |
xprtrdma: Store RDMA credits in unsigned variables
Dan Carpenter's static checker pointed out:
net/sunrpc/xprtrdma/rpc_rdma.c:879 rpcrdma_reply_handler()
warn: can 'credits' be negative?
"credits" is defined as an int. The credits value comes from the
server as a 32-bit unsigned integer.
A malicious or broken server can plant a large unsigned integer in
that field which would result in an underflow in the following
logic, potentially triggering a deadlock of the mount point by
blocking the client from issuing more RPC requests.
net/sunrpc/xprtrdma/rpc_rdma.c:
876 credits = be32_to_cpu(headerp->rm_credit);
877 if (credits == 0)
878 credits = 1; /* don't deadlock */
879 else if (credits > r_xprt->rx_buf.rb_max_requests)
880 credits = r_xprt->rx_buf.rb_max_requests;
881
882 cwnd = xprt->cwnd;
883 xprt->cwnd = credits << RPC_CWNDSHIFT;
884 if (xprt->cwnd > cwnd)
885 xprt_release_rqst_cong(rqst->rq_task);
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: eba8ff660b2d ("xprtrdma: Move credit update to RPC . . .")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Diffstat (limited to 'fs/sync.c')
0 files changed, 0 insertions, 0 deletions