svcrpc: fix handling of too-short rpc's
If we detect that an rpc is too short, we abort and close the connection. Except, there's a bug here: we're leaving sk_datalen nonzero without leaving any pages in the sk_pages array. The most likely result of the inconsistency is a subsequent crash in svc_tcp_clear_pages. Also demote the BUG_ON in svc_tcp_clear_pages to a WARN. Cc: stable@kernel.org Signed-off-by: J. Bruce Fields <bfields@redhat.com>
This commit is contained in:
J. Bruce Fields
parent
590b743143
commit
cf3aa02cb4
1 changed files with 7 additions and 2 deletions
|
|
@ -917,7 +917,10 @@ static void svc_tcp_clear_pages(struct svc_sock *svsk)
|
||||||
len = svsk->sk_datalen;
|
len = svsk->sk_datalen;
|
||||||
npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
|
npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
|
||||||
for (i = 0; i < npages; i++) {
|
for (i = 0; i < npages; i++) {
|
||||||
BUG_ON(svsk->sk_pages[i] == NULL);
|
if (svsk->sk_pages[i] == NULL) {
|
||||||
|
WARN_ON_ONCE(1);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
put_page(svsk->sk_pages[i]);
|
put_page(svsk->sk_pages[i]);
|
||||||
svsk->sk_pages[i] = NULL;
|
svsk->sk_pages[i] = NULL;
|
||||||
}
|
}
|
||||||
|
|
@ -1092,8 +1095,10 @@ static int svc_tcp_recvfrom(struct svc_rqst *rqstp)
|
||||||
goto err_noclose;
|
goto err_noclose;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (svc_sock_reclen(svsk) < 8)
|
if (svc_sock_reclen(svsk) < 8) {
|
||||||
|
svsk->sk_datalen = 0;
|
||||||
goto err_delete; /* client is nuts. */
|
goto err_delete; /* client is nuts. */
|
||||||
|
}
|
||||||
|
|
||||||
rqstp->rq_arg.len = svsk->sk_datalen;
|
rqstp->rq_arg.len = svsk->sk_datalen;
|
||||||
rqstp->rq_arg.page_base = 0;
|
rqstp->rq_arg.page_base = 0;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue