Re: [PATCH] nfsd: fix XDR length calculation in nfsd4_ff_encode_layoutget

Next message: Chuyi Zhou: "[PATCH v6 05/12] smp: Alloc percpu csd data in smpcfd_prepare_cpu() only once"
Previous message: Dmitry Baryshkov: "Re: [PATCH v5 15/15] drm/msm/dp: pass panel to display enable/disable helpers"
In reply to: Jeff Layton: "[PATCH] nfsd: fix XDR length calculation in nfsd4_ff_encode_layoutget"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chuck Lever

Date: Thu May 28 2026 - 11:34:18 EST

From: Chuck Lever <chuck.lever@xxxxxxxxxx>

On Thu, 28 May 2026 10:38:15 -0400, Jeff Layton wrote:
> The XDR buffer size calculation in nfsd4_ff_encode_layoutget() has
> multiple errors that can result in either an out-of-bounds write or
> leaking uninitialized kernel memory to the client:
>
> - fh_len doesn't account for XDR padding on the file handle data
> - uid and gid lengths use "8 + len" but xdr_encode_opaque() actually
> writes "4 + xdr_align_size(len)" bytes
> - ds_len omits the flags and stats_collect_hint fields (8 bytes),
> while len's header constant overestimates by 8 bytes -- these
> partially cancel but leave a net mismatch
>
> [...]

Applied to nfsd-testing, thanks!

[1/1] nfsd: fix XDR length calculation in nfsd4_ff_encode_layoutget
commit: c8bb9d5360bfb534065aed091579199ad2843f43

--
Chuck Lever <chuck.lever@xxxxxxxxxx>