git.itanic.dy.fi Git - linux-stable/commit

author	Chuck Lever <chuck.lever@oracle.com>
	Fri, 24 Jul 2020 21:08:57 +0000 (17:08 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 19 Aug 2020 06:24:09 +0000 (08:24 +0200)
commit	3fcc358669ac72a390d8bc8ae43a8d0922e4f8d9
tree	b9c2eb56addce9d712cfac70fc8f18bea991386c	tree \| snapshot
parent	b88fd43a6dfc716aa6c700857c5e35f21fc8d3a9	commit \| diff

SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()")

[ Upstream commit 986a4b63d3bc5f2c0eb4083b05aff2bf883b7b2f ]

Braino when converting "buf->len -=" to "buf->len = len -".

The result is under-estimation of the ralign and rslack values. On
krb5p mounts, this has caused READDIR to fail with EIO, and KASAN
splats when decoding READLINK replies.

As a result of fixing this oversight, the gss_unwrap method now
returns a buf->len that can be shorter than priv_len for small
RPC messages. The additional adjustment done in unwrap_priv_data()
can underflow buf->len. This causes the nfsd_request_too_large
check to fail during some NFSv3 operations.

Reported-by: Marian Rainer-Harbach
Reported-by: Pierre Sauter <pierre.sauter@stwm.de>
BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277
Fixes: 31c9590ae468 ("SUNRPC: Add "@len" parameter to gss_unwrap()")
Reviewed-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

net/sunrpc/auth_gss/gss_krb5_wrap.c		diff \| blob \| history
net/sunrpc/auth_gss/svcauth_gss.c		diff \| blob \| history