Commit ef93a685 authored by Trond Myklebust's avatar Trond Myklebust
Browse files

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() 



The function needs to check the minimal filehandle length before it can
access the embedded filehandle.

Reported-by: default avatarzhangjian <zhangjian496@huawei.com>
Fixes: 20fa1902 ("nfs: add export operations")
Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
parent f66e6bff

fs/nfs/export.c

+9 −2
Original line number Diff line number Diff line
@@ -66,14 +66,21 @@ nfs_fh_to_dentry(struct super_block *sb, struct fid *fid, 
{

	struct nfs_fattr *fattr = NULL;

	struct nfs_fh *server_fh = nfs_exp_embedfh(fid->raw);

	size_t fh_size = offsetof(struct nfs_fh, data) + server_fh->size;

	size_t fh_size = offsetof(struct nfs_fh, data);

	const struct nfs_rpc_ops *rpc_ops;

	struct dentry *dentry;

	struct inode *inode;

	int len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);

	int len = EMBED_FH_OFF;

	u32 *p = fid->raw;

	int ret;



	/* Initial check of bounds */

	if (fh_len < len + XDR_QUADLEN(fh_size) ||

	    fh_len > XDR_QUADLEN(NFS_MAXFHSIZE))

		return NULL;

	/* Calculate embedded filehandle size */

	fh_size += server_fh->size;

	len += XDR_QUADLEN(fh_size);

	/* NULL translates to ESTALE */

	if (fh_len < len || fh_type != len)

		return NULL;