Patch "svcrpc: fix handling of too-short rpc's" has been added to the 3.10-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    svcrpc: fix handling of too-short rpc's

to the 3.10-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     svcrpc-fix-handling-of-too-short-rpc-s.patch
and it can be found in the queue-3.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From cf3aa02cb4a0c5af5557dd47f15a08a7df33182a Mon Sep 17 00:00:00 2001
From: "J. Bruce Fields" <bfie...@redhat.com>
Date: Wed, 26 Jun 2013 11:09:06 -0400
Subject: svcrpc: fix handling of too-short rpc's

From: "J. Bruce Fields" <bfie...@redhat.com>

commit cf3aa02cb4a0c5af5557dd47f15a08a7df33182a upstream.

If we detect that an rpc is too short, we abort and close the
connection.  Except, there's a bug here: we're leaving sk_datalen
nonzero without leaving any pages in the sk_pages array.  The most
likely result of the inconsistency is a subsequent crash in
svc_tcp_clear_pages.

Also demote the BUG_ON in svc_tcp_clear_pages to a WARN.

Signed-off-by: J. Bruce Fields <bfie...@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 net/sunrpc/svcsock.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -917,7 +917,10 @@ static void svc_tcp_clear_pages(struct s
        len = svsk->sk_datalen;
        npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
        for (i = 0; i < npages; i++) {
-               BUG_ON(svsk->sk_pages[i] == NULL);
+               if (svsk->sk_pages[i] == NULL) {
+                       WARN_ON_ONCE(1);
+                       continue;
+               }
                put_page(svsk->sk_pages[i]);
                svsk->sk_pages[i] = NULL;
        }
@@ -1092,8 +1095,10 @@ static int svc_tcp_recvfrom(struct svc_r
                goto err_noclose;
        }
 
-       if (svc_sock_reclen(svsk) < 8)
+       if (svc_sock_reclen(svsk) < 8) {
+               svsk->sk_datalen = 0;
                goto err_delete; /* client is nuts. */
+       }
 
        rqstp->rq_arg.len = svsk->sk_datalen;
        rqstp->rq_arg.page_base = 0;


Patches currently in stable-queue which might be from bfie...@redhat.com are

queue-3.10/svcrpc-fix-failures-to-handle-1-uid-s.patch
queue-3.10/svcrpc-fix-handling-of-too-short-rpc-s.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html