[PATCH 4.14 130/157] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir

From: Greg Kroah-Hartman
Date: Sun Jul 01 2018 - 12:35:16 EST


4.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Scott Mayhew <smayhew@xxxxxxxxxx>

commit 9c2ece6ef67e9d376f32823086169b489c422ed0 upstream.

nfsd4_readdir_rsize restricts rd_maxcount to svc_max_payload when
estimating the size of the readdir reply, but nfsd_encode_readdir
restricts it to INT_MAX when encoding the reply. This can result in log
messages like "kernel: RPC request reserved 32896 but used 1049444".

Restrict rd_dircount similarly (no reason it should be larger than
svc_max_payload).

Signed-off-by: Scott Mayhew <smayhew@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: J. Bruce Fields <bfields@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
fs/nfsd/nfs4xdr.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3645,7 +3645,8 @@ nfsd4_encode_readdir(struct nfsd4_compou
nfserr = nfserr_resource;
goto err_no_verf;
}
- maxcount = min_t(u32, readdir->rd_maxcount, INT_MAX);
+ maxcount = svc_max_payload(resp->rqstp);
+ maxcount = min_t(u32, readdir->rd_maxcount, maxcount);
/*
* Note the rfc defines rd_maxcount as the size of the
* READDIR4resok structure, which includes the verifier above
@@ -3659,7 +3660,7 @@ nfsd4_encode_readdir(struct nfsd4_compou

/* RFC 3530 14.2.24 allows us to ignore dircount when it's 0: */
if (!readdir->rd_dircount)
- readdir->rd_dircount = INT_MAX;
+ readdir->rd_dircount = svc_max_payload(resp->rqstp);

readdir->xdr = xdr;
readdir->rd_maxcount = maxcount;