49a068f82a
A struct xdr_stream at a page boundary might point to the end of one
page or the beginning of the next, but xdr_truncate_encode isn't
prepared to handle the former.
This can cause corruption of NFSv4 READDIR replies in the case that a
readdir entry that would have exceeded the client's dircount/maxcount
limit would have ended exactly on a 4k page boundary. You're more
likely to hit this case on large directories.
Other xdr_truncate_encode callers are probably also affected.
Reported-by: Holger Hoffstätte <holger.hoffstaette@googlemail.com>
Tested-by: Holger Hoffstätte <holger.hoffstaette@googlemail.com>
Fixes:
|
||
---|---|---|
.. | ||
auth_gss | ||
xprtrdma | ||
addr.c | ||
auth_generic.c | ||
auth_null.c | ||
auth_unix.c | ||
auth.c | ||
backchannel_rqst.c | ||
bc_svc.c | ||
cache.c | ||
clnt.c | ||
debugfs.c | ||
Kconfig | ||
Makefile | ||
netns.h | ||
rpc_pipe.c | ||
rpcb_clnt.c | ||
sched.c | ||
socklib.c | ||
stats.c | ||
sunrpc_syms.c | ||
sunrpc.h | ||
svc_xprt.c | ||
svc.c | ||
svcauth_unix.c | ||
svcauth.c | ||
svcsock.c | ||
sysctl.c | ||
timer.c | ||
xdr.c | ||
xprt.c | ||
xprtsock.c |