SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()")
[ Upstream commit986a4b63d3
] Braino when converting "buf->len -=" to "buf->len = len -". The result is under-estimation of the ralign and rslack values. On krb5p mounts, this has caused READDIR to fail with EIO, and KASAN splats when decoding READLINK replies. As a result of fixing this oversight, the gss_unwrap method now returns a buf->len that can be shorter than priv_len for small RPC messages. The additional adjustment done in unwrap_priv_data() can underflow buf->len. This causes the nfsd_request_too_large check to fail during some NFSv3 operations. Reported-by: Marian Rainer-Harbach Reported-by: Pierre Sauter <pierre.sauter@stwm.de> BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277 Fixes:31c9590ae4
("SUNRPC: Add "@len" parameter to gss_unwrap()") Reviewed-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
789be9705e
commit
18d1bb4973
|
@ -584,7 +584,7 @@ gss_unwrap_kerberos_v2(struct krb5_ctx *kctx, int offset, int len,
|
||||||
buf->head[0].iov_len);
|
buf->head[0].iov_len);
|
||||||
memmove(ptr, ptr + GSS_KRB5_TOK_HDR_LEN + headskip, movelen);
|
memmove(ptr, ptr + GSS_KRB5_TOK_HDR_LEN + headskip, movelen);
|
||||||
buf->head[0].iov_len -= GSS_KRB5_TOK_HDR_LEN + headskip;
|
buf->head[0].iov_len -= GSS_KRB5_TOK_HDR_LEN + headskip;
|
||||||
buf->len = len - GSS_KRB5_TOK_HDR_LEN + headskip;
|
buf->len = len - (GSS_KRB5_TOK_HDR_LEN + headskip);
|
||||||
|
|
||||||
/* Trim off the trailing "extra count" and checksum blob */
|
/* Trim off the trailing "extra count" and checksum blob */
|
||||||
xdr_buf_trim(buf, ec + GSS_KRB5_TOK_HDR_LEN + tailskip);
|
xdr_buf_trim(buf, ec + GSS_KRB5_TOK_HDR_LEN + tailskip);
|
||||||
|
|
|
@ -949,7 +949,6 @@ unwrap_priv_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct gs
|
||||||
|
|
||||||
maj_stat = gss_unwrap(ctx, 0, priv_len, buf);
|
maj_stat = gss_unwrap(ctx, 0, priv_len, buf);
|
||||||
pad = priv_len - buf->len;
|
pad = priv_len - buf->len;
|
||||||
buf->len -= pad;
|
|
||||||
/* The upper layers assume the buffer is aligned on 4-byte boundaries.
|
/* The upper layers assume the buffer is aligned on 4-byte boundaries.
|
||||||
* In the krb5p case, at least, the data ends up offset, so we need to
|
* In the krb5p case, at least, the data ends up offset, so we need to
|
||||||
* move it around. */
|
* move it around. */
|
||||||
|
|
Loading…
Reference in New Issue