| From 51904b08072a8bf2b9ed74d1bd7a5300a614471d Mon Sep 17 00:00:00 2001 |
| From: "J. Bruce Fields" <bfields@redhat.com> |
| Date: Wed, 22 Oct 2014 14:46:29 -0400 |
| Subject: nfsd4: fix crash on unknown operation number |
| |
| From: "J. Bruce Fields" <bfields@redhat.com> |
| |
| commit 51904b08072a8bf2b9ed74d1bd7a5300a614471d upstream. |
| |
| Unknown operation numbers are caught in nfsd4_decode_compound() which |
| sets op->opnum to OP_ILLEGAL and op->status to nfserr_op_illegal. The |
| error causes the main loop in nfsd4_proc_compound() to skip most |
| processing. But nfsd4_proc_compound also peeks ahead at the next |
| operation in one case and doesn't take similar precautions there. |
| |
| Signed-off-by: J. Bruce Fields <bfields@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/nfsd/nfs4proc.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/fs/nfsd/nfs4proc.c |
| +++ b/fs/nfsd/nfs4proc.c |
| @@ -1229,7 +1229,8 @@ static bool need_wrongsec_check(struct s |
| */ |
| if (argp->opcnt == resp->opcnt) |
| return false; |
| - |
| + if (next->opnum == OP_ILLEGAL) |
| + return false; |
| nextd = OPDESC(next); |
| /* |
| * Rest of 2.6.3.1.1: certain operations will return WRONGSEC |
