Commit 1242a87d authored Sep 01, 2022 by Chuck Lever

SUNRPC: Fix svcxdr_init_encode's buflen calculation



Commit 2825a7f9 ("nfsd4: allow encoding across page boundaries")
added an explicit computation of the remaining length in the rq_res
XDR buffer.

The computation appears to suffer from an "off-by-one" bug. Because
buflen is too large by one page, XDR encoding can run off the end of
the send buffer by eventually trying to use the struct page address
in rq_page_end, which always contains NULL.

Fixes: bddfdbcd ("NFSD: Extract the svcxdr_init_encode() helper")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

parent 90bfc37b

include/linux/sunrpc/svc.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -587,7 +587,7 @@ static inline void svcxdr_init_encode(struct svc_rqst *rqstp)
		xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack;
		buf->len = resv->iov_len;
		xdr->page_ptr = buf->pages - 1;
		buf->buflen = PAGE_SIZE * (1 + rqstp->rq_page_end - buf->pages);
		buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages);
		buf->buflen -= rqstp->rq_auth_slack;
		xdr->rqst = NULL;
		}