linux/fs/nfsd
Chuck Lever fc788f64f1 nfsd: Limit end of page list when decoding NFSv4 WRITE
When processing an NFSv4 WRITE operation, argp->end should never
point past the end of the data in the final page of the page list.
Otherwise, nfsd4_decode_compound can walk into uninitialized memory.

More critical, nfsd4_decode_write is failing to increment argp->pagelen
when it increments argp->pagelist.  This can cause later xdr decoders
to assume more data is available than really is, which can cause server
crashes on malformed requests.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2017-08-24 18:05:30 -04:00
..
acl.h
auth.c
auth.h
blocklayout.c block: Make most scsi_req_init() calls implicit 2017-06-20 19:27:14 -06:00
blocklayoutxdr.c
blocklayoutxdr.h
cache.h
current_stateid.h nfsd4: properly type op_get_currentstateid callbacks 2017-05-15 17:42:27 +02:00
export.c nfsd: namespace-prefix uuid_parse 2017-06-05 16:56:38 +02:00
export.h
fault_inject.c
flexfilelayout.c
flexfilelayoutxdr.c
flexfilelayoutxdr.h
idmap.h
Kconfig
lockd.c
Makefile
netns.h
nfs2acl.c sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfs3acl.c sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfs3proc.c sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfs3xdr.c nfsd4: factor ctime into change attribute 2017-07-12 15:55:00 -04:00
nfs4acl.c
nfs4callback.c nfsd: Fix a memory scribble in the callback channel 2017-07-17 13:15:06 -04:00
nfs4idmap.c
nfs4layouts.c
nfs4proc.c Linux 4.12-rc5 2017-06-28 13:34:15 -04:00
nfs4recover.c
nfs4state.c nfsd4: properly type op_func callbacks 2017-05-15 17:42:29 +02:00
nfs4xdr.c nfsd: Limit end of page list when decoding NFSv4 WRITE 2017-08-24 18:05:30 -04:00
nfscache.c
nfsctl.c
nfsd.h sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfsfh.c
nfsfh.h nfsd4: factor ctime into change attribute 2017-07-12 15:55:00 -04:00
nfsproc.c sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfssvc.c sunrpc: mark all struct svc_version instances as const 2017-05-15 17:42:31 +02:00
nfsxdr.c Linux 4.12-rc5 2017-06-28 13:34:15 -04:00
pnfs.h
state.h
stats.c
stats.h
trace.c
trace.h
vfs.c Merge branch 'work.read_write' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-07-05 14:35:57 -07:00
vfs.h
xdr3.h sunrpc: properly type pc_encode callbacks 2017-05-15 17:42:25 +02:00
xdr4.h nfsd4: properly type op_func callbacks 2017-05-15 17:42:29 +02:00
xdr4cb.h
xdr.h sunrpc: properly type pc_encode callbacks 2017-05-15 17:42:25 +02:00