aboutsummaryrefslogtreecommitdiffstats
path: root/fs/nfs/nfs4xdr.c
diff options
context:
space:
mode:
Diffstat (limited to 'fs/nfs/nfs4xdr.c')
-rw-r--r--fs/nfs/nfs4xdr.c475
1 files changed, 379 insertions, 96 deletions
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index 3f49da0960e3..b0d690c3a24c 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -2423,24 +2423,6 @@ static int nfs4_xdr_enc_get_lease_time(struct rpc_rqst *req, uint32_t *p,
2423} 2423}
2424#endif /* CONFIG_NFS_V4_1 */ 2424#endif /* CONFIG_NFS_V4_1 */
2425 2425
2426/*
2427 * START OF "GENERIC" DECODE ROUTINES.
2428 * These may look a little ugly since they are imported from a "generic"
2429 * set of XDR encode/decode routines which are intended to be shared by
2430 * all of our NFSv4 implementations (OpenBSD, MacOS X...).
2431 *
2432 * If the pain of reading these is too great, it should be a straightforward
2433 * task to translate them into Linux-specific versions which are more
2434 * consistent with the style used in NFSv2/v3...
2435 */
2436#define READ_BUF(nbytes) do { \
2437 p = xdr_inline_decode(xdr, nbytes); \
2438 if (unlikely(!p)) { \
2439 print_overflow_msg(__func__, xdr); \
2440 return -EIO; \
2441 } \
2442} while (0)
2443
2444static void print_overflow_msg(const char *func, const struct xdr_stream *xdr) 2426static void print_overflow_msg(const char *func, const struct xdr_stream *xdr)
2445{ 2427{
2446 dprintk("nfs: %s: prematurely hit end of receive buffer. " 2428 dprintk("nfs: %s: prematurely hit end of receive buffer. "
@@ -2452,28 +2434,42 @@ static int decode_opaque_inline(struct xdr_stream *xdr, unsigned int *len, char
2452{ 2434{
2453 __be32 *p; 2435 __be32 *p;
2454 2436
2455 READ_BUF(4); 2437 p = xdr_inline_decode(xdr, 4);
2438 if (unlikely(!p))
2439 goto out_overflow;
2456 *len = be32_to_cpup(p++); 2440 *len = be32_to_cpup(p++);
2457 READ_BUF(*len); 2441 p = xdr_inline_decode(xdr, *len);
2442 if (unlikely(!p))
2443 goto out_overflow;
2458 *string = (char *)p; 2444 *string = (char *)p;
2459 return 0; 2445 return 0;
2446out_overflow:
2447 print_overflow_msg(__func__, xdr);
2448 return -EIO;
2460} 2449}
2461 2450
2462static int decode_compound_hdr(struct xdr_stream *xdr, struct compound_hdr *hdr) 2451static int decode_compound_hdr(struct xdr_stream *xdr, struct compound_hdr *hdr)
2463{ 2452{
2464 __be32 *p; 2453 __be32 *p;
2465 2454
2466 READ_BUF(8); 2455 p = xdr_inline_decode(xdr, 8);
2456 if (unlikely(!p))
2457 goto out_overflow;
2467 hdr->status = be32_to_cpup(p++); 2458 hdr->status = be32_to_cpup(p++);
2468 hdr->taglen = be32_to_cpup(p++); 2459 hdr->taglen = be32_to_cpup(p++);
2469 2460
2470 READ_BUF(hdr->taglen + 4); 2461 p = xdr_inline_decode(xdr, hdr->taglen + 4);
2462 if (unlikely(!p))
2463 goto out_overflow;
2471 hdr->tag = (char *)p; 2464 hdr->tag = (char *)p;
2472 p += XDR_QUADLEN(hdr->taglen); 2465 p += XDR_QUADLEN(hdr->taglen);
2473 hdr->nops = be32_to_cpup(p++); 2466 hdr->nops = be32_to_cpup(p++);
2474 if (unlikely(hdr->nops < 1)) 2467 if (unlikely(hdr->nops < 1))
2475 return nfs4_stat_to_errno(hdr->status); 2468 return nfs4_stat_to_errno(hdr->status);
2476 return 0; 2469 return 0;
2470out_overflow:
2471 print_overflow_msg(__func__, xdr);
2472 return -EIO;
2477} 2473}
2478 2474
2479static int decode_op_hdr(struct xdr_stream *xdr, enum nfs_opnum4 expected) 2475static int decode_op_hdr(struct xdr_stream *xdr, enum nfs_opnum4 expected)
@@ -2482,7 +2478,9 @@ static int decode_op_hdr(struct xdr_stream *xdr, enum nfs_opnum4 expected)
2482 uint32_t opnum; 2478 uint32_t opnum;
2483 int32_t nfserr; 2479 int32_t nfserr;
2484 2480
2485 READ_BUF(8); 2481 p = xdr_inline_decode(xdr, 8);
2482 if (unlikely(!p))
2483 goto out_overflow;
2486 opnum = be32_to_cpup(p++); 2484 opnum = be32_to_cpup(p++);
2487 if (opnum != expected) { 2485 if (opnum != expected) {
2488 dprintk("nfs: Server returned operation" 2486 dprintk("nfs: Server returned operation"
@@ -2494,6 +2492,9 @@ static int decode_op_hdr(struct xdr_stream *xdr, enum nfs_opnum4 expected)
2494 if (nfserr != NFS_OK) 2492 if (nfserr != NFS_OK)
2495 return nfs4_stat_to_errno(nfserr); 2493 return nfs4_stat_to_errno(nfserr);
2496 return 0; 2494 return 0;
2495out_overflow:
2496 print_overflow_msg(__func__, xdr);
2497 return -EIO;
2497} 2498}
2498 2499
2499/* Dummy routine */ 2500/* Dummy routine */
@@ -2503,8 +2504,11 @@ static int decode_ace(struct xdr_stream *xdr, void *ace, struct nfs_client *clp)
2503 unsigned int strlen; 2504 unsigned int strlen;
2504 char *str; 2505 char *str;
2505 2506
2506 READ_BUF(12); 2507 p = xdr_inline_decode(xdr, 12);
2507 return decode_opaque_inline(xdr, &strlen, &str); 2508 if (likely(p))
2509 return decode_opaque_inline(xdr, &strlen, &str);
2510 print_overflow_msg(__func__, xdr);
2511 return -EIO;
2508} 2512}
2509 2513
2510static int decode_attr_bitmap(struct xdr_stream *xdr, uint32_t *bitmap) 2514static int decode_attr_bitmap(struct xdr_stream *xdr, uint32_t *bitmap)
@@ -2512,27 +2516,39 @@ static int decode_attr_bitmap(struct xdr_stream *xdr, uint32_t *bitmap)
2512 uint32_t bmlen; 2516 uint32_t bmlen;
2513 __be32 *p; 2517 __be32 *p;
2514 2518
2515 READ_BUF(4); 2519 p = xdr_inline_decode(xdr, 4);
2520 if (unlikely(!p))
2521 goto out_overflow;
2516 bmlen = be32_to_cpup(p++); 2522 bmlen = be32_to_cpup(p++);
2517 2523
2518 bitmap[0] = bitmap[1] = 0; 2524 bitmap[0] = bitmap[1] = 0;
2519 READ_BUF((bmlen << 2)); 2525 p = xdr_inline_decode(xdr, (bmlen << 2));
2526 if (unlikely(!p))
2527 goto out_overflow;
2520 if (bmlen > 0) { 2528 if (bmlen > 0) {
2521 bitmap[0] = be32_to_cpup(p++); 2529 bitmap[0] = be32_to_cpup(p++);
2522 if (bmlen > 1) 2530 if (bmlen > 1)
2523 bitmap[1] = be32_to_cpup(p++); 2531 bitmap[1] = be32_to_cpup(p++);
2524 } 2532 }
2525 return 0; 2533 return 0;
2534out_overflow:
2535 print_overflow_msg(__func__, xdr);
2536 return -EIO;
2526} 2537}
2527 2538
2528static inline int decode_attr_length(struct xdr_stream *xdr, uint32_t *attrlen, __be32 **savep) 2539static inline int decode_attr_length(struct xdr_stream *xdr, uint32_t *attrlen, __be32 **savep)
2529{ 2540{
2530 __be32 *p; 2541 __be32 *p;
2531 2542
2532 READ_BUF(4); 2543 p = xdr_inline_decode(xdr, 4);
2544 if (unlikely(!p))
2545 goto out_overflow;
2533 *attrlen = be32_to_cpup(p++); 2546 *attrlen = be32_to_cpup(p++);
2534 *savep = xdr->p; 2547 *savep = xdr->p;
2535 return 0; 2548 return 0;
2549out_overflow:
2550 print_overflow_msg(__func__, xdr);
2551 return -EIO;
2536} 2552}
2537 2553
2538static int decode_attr_supported(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *bitmask) 2554static int decode_attr_supported(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *bitmask)
@@ -2555,7 +2571,9 @@ static int decode_attr_type(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *
2555 if (unlikely(bitmap[0] & (FATTR4_WORD0_TYPE - 1U))) 2571 if (unlikely(bitmap[0] & (FATTR4_WORD0_TYPE - 1U)))
2556 return -EIO; 2572 return -EIO;
2557 if (likely(bitmap[0] & FATTR4_WORD0_TYPE)) { 2573 if (likely(bitmap[0] & FATTR4_WORD0_TYPE)) {
2558 READ_BUF(4); 2574 p = xdr_inline_decode(xdr, 4);
2575 if (unlikely(!p))
2576 goto out_overflow;
2559 *type = be32_to_cpup(p++); 2577 *type = be32_to_cpup(p++);
2560 if (*type < NF4REG || *type > NF4NAMEDATTR) { 2578 if (*type < NF4REG || *type > NF4NAMEDATTR) {
2561 dprintk("%s: bad type %d\n", __func__, *type); 2579 dprintk("%s: bad type %d\n", __func__, *type);
@@ -2566,6 +2584,9 @@ static int decode_attr_type(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *
2566 } 2584 }
2567 dprintk("%s: type=0%o\n", __func__, nfs_type2fmt[*type]); 2585 dprintk("%s: type=0%o\n", __func__, nfs_type2fmt[*type]);
2568 return ret; 2586 return ret;
2587out_overflow:
2588 print_overflow_msg(__func__, xdr);
2589 return -EIO;
2569} 2590}
2570 2591
2571static int decode_attr_change(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *change) 2592static int decode_attr_change(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *change)
@@ -2577,7 +2598,9 @@ static int decode_attr_change(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t
2577 if (unlikely(bitmap[0] & (FATTR4_WORD0_CHANGE - 1U))) 2598 if (unlikely(bitmap[0] & (FATTR4_WORD0_CHANGE - 1U)))
2578 return -EIO; 2599 return -EIO;
2579 if (likely(bitmap[0] & FATTR4_WORD0_CHANGE)) { 2600 if (likely(bitmap[0] & FATTR4_WORD0_CHANGE)) {
2580 READ_BUF(8); 2601 p = xdr_inline_decode(xdr, 8);
2602 if (unlikely(!p))
2603 goto out_overflow;
2581 p = xdr_decode_hyper(p, change); 2604 p = xdr_decode_hyper(p, change);
2582 bitmap[0] &= ~FATTR4_WORD0_CHANGE; 2605 bitmap[0] &= ~FATTR4_WORD0_CHANGE;
2583 ret = NFS_ATTR_FATTR_CHANGE; 2606 ret = NFS_ATTR_FATTR_CHANGE;
@@ -2585,6 +2608,9 @@ static int decode_attr_change(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t
2585 dprintk("%s: change attribute=%Lu\n", __func__, 2608 dprintk("%s: change attribute=%Lu\n", __func__,
2586 (unsigned long long)*change); 2609 (unsigned long long)*change);
2587 return ret; 2610 return ret;
2611out_overflow:
2612 print_overflow_msg(__func__, xdr);
2613 return -EIO;
2588} 2614}
2589 2615
2590static int decode_attr_size(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *size) 2616static int decode_attr_size(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *size)
@@ -2596,13 +2622,18 @@ static int decode_attr_size(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *
2596 if (unlikely(bitmap[0] & (FATTR4_WORD0_SIZE - 1U))) 2622 if (unlikely(bitmap[0] & (FATTR4_WORD0_SIZE - 1U)))
2597 return -EIO; 2623 return -EIO;
2598 if (likely(bitmap[0] & FATTR4_WORD0_SIZE)) { 2624 if (likely(bitmap[0] & FATTR4_WORD0_SIZE)) {
2599 READ_BUF(8); 2625 p = xdr_inline_decode(xdr, 8);
2626 if (unlikely(!p))
2627 goto out_overflow;
2600 p = xdr_decode_hyper(p, size); 2628 p = xdr_decode_hyper(p, size);
2601 bitmap[0] &= ~FATTR4_WORD0_SIZE; 2629 bitmap[0] &= ~FATTR4_WORD0_SIZE;
2602 ret = NFS_ATTR_FATTR_SIZE; 2630 ret = NFS_ATTR_FATTR_SIZE;
2603 } 2631 }
2604 dprintk("%s: file size=%Lu\n", __func__, (unsigned long long)*size); 2632 dprintk("%s: file size=%Lu\n", __func__, (unsigned long long)*size);
2605 return ret; 2633 return ret;
2634out_overflow:
2635 print_overflow_msg(__func__, xdr);
2636 return -EIO;
2606} 2637}
2607 2638
2608static int decode_attr_link_support(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res) 2639static int decode_attr_link_support(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)
@@ -2613,12 +2644,17 @@ static int decode_attr_link_support(struct xdr_stream *xdr, uint32_t *bitmap, ui
2613 if (unlikely(bitmap[0] & (FATTR4_WORD0_LINK_SUPPORT - 1U))) 2644 if (unlikely(bitmap[0] & (FATTR4_WORD0_LINK_SUPPORT - 1U)))
2614 return -EIO; 2645 return -EIO;
2615 if (likely(bitmap[0] & FATTR4_WORD0_LINK_SUPPORT)) { 2646 if (likely(bitmap[0] & FATTR4_WORD0_LINK_SUPPORT)) {
2616 READ_BUF(4); 2647 p = xdr_inline_decode(xdr, 4);
2648 if (unlikely(!p))
2649 goto out_overflow;
2617 *res = be32_to_cpup(p++); 2650 *res = be32_to_cpup(p++);
2618 bitmap[0] &= ~FATTR4_WORD0_LINK_SUPPORT; 2651 bitmap[0] &= ~FATTR4_WORD0_LINK_SUPPORT;
2619 } 2652 }
2620 dprintk("%s: link support=%s\n", __func__, *res == 0 ? "false" : "true"); 2653 dprintk("%s: link support=%s\n", __func__, *res == 0 ? "false" : "true");
2621 return 0; 2654 return 0;
2655out_overflow:
2656 print_overflow_msg(__func__, xdr);
2657 return -EIO;
2622} 2658}
2623 2659
2624static int decode_attr_symlink_support(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res) 2660static int decode_attr_symlink_support(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)
@@ -2629,12 +2665,17 @@ static int decode_attr_symlink_support(struct xdr_stream *xdr, uint32_t *bitmap,
2629 if (unlikely(bitmap[0] & (FATTR4_WORD0_SYMLINK_SUPPORT - 1U))) 2665 if (unlikely(bitmap[0] & (FATTR4_WORD0_SYMLINK_SUPPORT - 1U)))
2630 return -EIO; 2666 return -EIO;
2631 if (likely(bitmap[0] & FATTR4_WORD0_SYMLINK_SUPPORT)) { 2667 if (likely(bitmap[0] & FATTR4_WORD0_SYMLINK_SUPPORT)) {
2632 READ_BUF(4); 2668 p = xdr_inline_decode(xdr, 4);
2669 if (unlikely(!p))
2670 goto out_overflow;
2633 *res = be32_to_cpup(p++); 2671 *res = be32_to_cpup(p++);
2634 bitmap[0] &= ~FATTR4_WORD0_SYMLINK_SUPPORT; 2672 bitmap[0] &= ~FATTR4_WORD0_SYMLINK_SUPPORT;
2635 } 2673 }
2636 dprintk("%s: symlink support=%s\n", __func__, *res == 0 ? "false" : "true"); 2674 dprintk("%s: symlink support=%s\n", __func__, *res == 0 ? "false" : "true");
2637 return 0; 2675 return 0;
2676out_overflow:
2677 print_overflow_msg(__func__, xdr);
2678 return -EIO;
2638} 2679}
2639 2680
2640static int decode_attr_fsid(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs_fsid *fsid) 2681static int decode_attr_fsid(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs_fsid *fsid)
@@ -2647,7 +2688,9 @@ static int decode_attr_fsid(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs
2647 if (unlikely(bitmap[0] & (FATTR4_WORD0_FSID - 1U))) 2688 if (unlikely(bitmap[0] & (FATTR4_WORD0_FSID - 1U)))
2648 return -EIO; 2689 return -EIO;
2649 if (likely(bitmap[0] & FATTR4_WORD0_FSID)) { 2690 if (likely(bitmap[0] & FATTR4_WORD0_FSID)) {
2650 READ_BUF(16); 2691 p = xdr_inline_decode(xdr, 16);
2692 if (unlikely(!p))
2693 goto out_overflow;
2651 p = xdr_decode_hyper(p, &fsid->major); 2694 p = xdr_decode_hyper(p, &fsid->major);
2652 p = xdr_decode_hyper(p, &fsid->minor); 2695 p = xdr_decode_hyper(p, &fsid->minor);
2653 bitmap[0] &= ~FATTR4_WORD0_FSID; 2696 bitmap[0] &= ~FATTR4_WORD0_FSID;
@@ -2657,6 +2700,9 @@ static int decode_attr_fsid(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs
2657 (unsigned long long)fsid->major, 2700 (unsigned long long)fsid->major,
2658 (unsigned long long)fsid->minor); 2701 (unsigned long long)fsid->minor);
2659 return ret; 2702 return ret;
2703out_overflow:
2704 print_overflow_msg(__func__, xdr);
2705 return -EIO;
2660} 2706}
2661 2707
2662static int decode_attr_lease_time(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res) 2708static int decode_attr_lease_time(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)
@@ -2667,12 +2713,17 @@ static int decode_attr_lease_time(struct xdr_stream *xdr, uint32_t *bitmap, uint
2667 if (unlikely(bitmap[0] & (FATTR4_WORD0_LEASE_TIME - 1U))) 2713 if (unlikely(bitmap[0] & (FATTR4_WORD0_LEASE_TIME - 1U)))
2668 return -EIO; 2714 return -EIO;
2669 if (likely(bitmap[0] & FATTR4_WORD0_LEASE_TIME)) { 2715 if (likely(bitmap[0] & FATTR4_WORD0_LEASE_TIME)) {
2670 READ_BUF(4); 2716 p = xdr_inline_decode(xdr, 4);
2717 if (unlikely(!p))
2718 goto out_overflow;
2671 *res = be32_to_cpup(p++); 2719 *res = be32_to_cpup(p++);
2672 bitmap[0] &= ~FATTR4_WORD0_LEASE_TIME; 2720 bitmap[0] &= ~FATTR4_WORD0_LEASE_TIME;
2673 } 2721 }
2674 dprintk("%s: file size=%u\n", __func__, (unsigned int)*res); 2722 dprintk("%s: file size=%u\n", __func__, (unsigned int)*res);
2675 return 0; 2723 return 0;
2724out_overflow:
2725 print_overflow_msg(__func__, xdr);
2726 return -EIO;
2676} 2727}
2677 2728
2678static int decode_attr_aclsupport(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res) 2729static int decode_attr_aclsupport(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)
@@ -2683,12 +2734,17 @@ static int decode_attr_aclsupport(struct xdr_stream *xdr, uint32_t *bitmap, uint
2683 if (unlikely(bitmap[0] & (FATTR4_WORD0_ACLSUPPORT - 1U))) 2734 if (unlikely(bitmap[0] & (FATTR4_WORD0_ACLSUPPORT - 1U)))
2684 return -EIO; 2735 return -EIO;
2685 if (likely(bitmap[0] & FATTR4_WORD0_ACLSUPPORT)) { 2736 if (likely(bitmap[0] & FATTR4_WORD0_ACLSUPPORT)) {
2686 READ_BUF(4); 2737 p = xdr_inline_decode(xdr, 4);
2738 if (unlikely(!p))
2739 goto out_overflow;
2687 *res = be32_to_cpup(p++); 2740 *res = be32_to_cpup(p++);
2688 bitmap[0] &= ~FATTR4_WORD0_ACLSUPPORT; 2741 bitmap[0] &= ~FATTR4_WORD0_ACLSUPPORT;
2689 } 2742 }
2690 dprintk("%s: ACLs supported=%u\n", __func__, (unsigned int)*res); 2743 dprintk("%s: ACLs supported=%u\n", __func__, (unsigned int)*res);
2691 return 0; 2744 return 0;
2745out_overflow:
2746 print_overflow_msg(__func__, xdr);
2747 return -EIO;
2692} 2748}
2693 2749
2694static int decode_attr_fileid(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *fileid) 2750static int decode_attr_fileid(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *fileid)
@@ -2700,13 +2756,18 @@ static int decode_attr_fileid(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t
2700 if (unlikely(bitmap[0] & (FATTR4_WORD0_FILEID - 1U))) 2756 if (unlikely(bitmap[0] & (FATTR4_WORD0_FILEID - 1U)))
2701 return -EIO; 2757 return -EIO;
2702 if (likely(bitmap[0] & FATTR4_WORD0_FILEID)) { 2758 if (likely(bitmap[0] & FATTR4_WORD0_FILEID)) {
2703 READ_BUF(8); 2759 p = xdr_inline_decode(xdr, 8);
2760 if (unlikely(!p))
2761 goto out_overflow;
2704 p = xdr_decode_hyper(p, fileid); 2762 p = xdr_decode_hyper(p, fileid);
2705 bitmap[0] &= ~FATTR4_WORD0_FILEID; 2763 bitmap[0] &= ~FATTR4_WORD0_FILEID;
2706 ret = NFS_ATTR_FATTR_FILEID; 2764 ret = NFS_ATTR_FATTR_FILEID;
2707 } 2765 }
2708 dprintk("%s: fileid=%Lu\n", __func__, (unsigned long long)*fileid); 2766 dprintk("%s: fileid=%Lu\n", __func__, (unsigned long long)*fileid);
2709 return ret; 2767 return ret;
2768out_overflow:
2769 print_overflow_msg(__func__, xdr);
2770 return -EIO;
2710} 2771}
2711 2772
2712static int decode_attr_mounted_on_fileid(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *fileid) 2773static int decode_attr_mounted_on_fileid(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *fileid)
@@ -2718,13 +2779,18 @@ static int decode_attr_mounted_on_fileid(struct xdr_stream *xdr, uint32_t *bitma
2718 if (unlikely(bitmap[1] & (FATTR4_WORD1_MOUNTED_ON_FILEID - 1U))) 2779 if (unlikely(bitmap[1] & (FATTR4_WORD1_MOUNTED_ON_FILEID - 1U)))
2719 return -EIO; 2780 return -EIO;
2720 if (likely(bitmap[1] & FATTR4_WORD1_MOUNTED_ON_FILEID)) { 2781 if (likely(bitmap[1] & FATTR4_WORD1_MOUNTED_ON_FILEID)) {
2721 READ_BUF(8); 2782 p = xdr_inline_decode(xdr, 8);
2783 if (unlikely(!p))
2784 goto out_overflow;
2722 p = xdr_decode_hyper(p, fileid); 2785 p = xdr_decode_hyper(p, fileid);
2723 bitmap[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID; 2786 bitmap[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID;
2724 ret = NFS_ATTR_FATTR_FILEID; 2787 ret = NFS_ATTR_FATTR_FILEID;
2725 } 2788 }
2726 dprintk("%s: fileid=%Lu\n", __func__, (unsigned long long)*fileid); 2789 dprintk("%s: fileid=%Lu\n", __func__, (unsigned long long)*fileid);
2727 return ret; 2790 return ret;
2791out_overflow:
2792 print_overflow_msg(__func__, xdr);
2793 return -EIO;
2728} 2794}
2729 2795
2730static int decode_attr_files_avail(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res) 2796static int decode_attr_files_avail(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)
@@ -2736,12 +2802,17 @@ static int decode_attr_files_avail(struct xdr_stream *xdr, uint32_t *bitmap, uin
2736 if (unlikely(bitmap[0] & (FATTR4_WORD0_FILES_AVAIL - 1U))) 2802 if (unlikely(bitmap[0] & (FATTR4_WORD0_FILES_AVAIL - 1U)))
2737 return -EIO; 2803 return -EIO;
2738 if (likely(bitmap[0] & FATTR4_WORD0_FILES_AVAIL)) { 2804 if (likely(bitmap[0] & FATTR4_WORD0_FILES_AVAIL)) {
2739 READ_BUF(8); 2805 p = xdr_inline_decode(xdr, 8);
2806 if (unlikely(!p))
2807 goto out_overflow;
2740 p = xdr_decode_hyper(p, res); 2808 p = xdr_decode_hyper(p, res);
2741 bitmap[0] &= ~FATTR4_WORD0_FILES_AVAIL; 2809 bitmap[0] &= ~FATTR4_WORD0_FILES_AVAIL;
2742 } 2810 }
2743 dprintk("%s: files avail=%Lu\n", __func__, (unsigned long long)*res); 2811 dprintk("%s: files avail=%Lu\n", __func__, (unsigned long long)*res);
2744 return status; 2812 return status;
2813out_overflow:
2814 print_overflow_msg(__func__, xdr);
2815 return -EIO;
2745} 2816}
2746 2817
2747static int decode_attr_files_free(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res) 2818static int decode_attr_files_free(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)
@@ -2753,12 +2824,17 @@ static int decode_attr_files_free(struct xdr_stream *xdr, uint32_t *bitmap, uint
2753 if (unlikely(bitmap[0] & (FATTR4_WORD0_FILES_FREE - 1U))) 2824 if (unlikely(bitmap[0] & (FATTR4_WORD0_FILES_FREE - 1U)))
2754 return -EIO; 2825 return -EIO;
2755 if (likely(bitmap[0] & FATTR4_WORD0_FILES_FREE)) { 2826 if (likely(bitmap[0] & FATTR4_WORD0_FILES_FREE)) {
2756 READ_BUF(8); 2827 p = xdr_inline_decode(xdr, 8);
2828 if (unlikely(!p))
2829 goto out_overflow;
2757 p = xdr_decode_hyper(p, res); 2830 p = xdr_decode_hyper(p, res);
2758 bitmap[0] &= ~FATTR4_WORD0_FILES_FREE; 2831 bitmap[0] &= ~FATTR4_WORD0_FILES_FREE;
2759 } 2832 }
2760 dprintk("%s: files free=%Lu\n", __func__, (unsigned long long)*res); 2833 dprintk("%s: files free=%Lu\n", __func__, (unsigned long long)*res);
2761 return status; 2834 return status;
2835out_overflow:
2836 print_overflow_msg(__func__, xdr);
2837 return -EIO;
2762} 2838}
2763 2839
2764static int decode_attr_files_total(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res) 2840static int decode_attr_files_total(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)
@@ -2770,12 +2846,17 @@ static int decode_attr_files_total(struct xdr_stream *xdr, uint32_t *bitmap, uin
2770 if (unlikely(bitmap[0] & (FATTR4_WORD0_FILES_TOTAL - 1U))) 2846 if (unlikely(bitmap[0] & (FATTR4_WORD0_FILES_TOTAL - 1U)))
2771 return -EIO; 2847 return -EIO;
2772 if (likely(bitmap[0] & FATTR4_WORD0_FILES_TOTAL)) { 2848 if (likely(bitmap[0] & FATTR4_WORD0_FILES_TOTAL)) {
2773 READ_BUF(8); 2849 p = xdr_inline_decode(xdr, 8);
2850 if (unlikely(!p))
2851 goto out_overflow;
2774 p = xdr_decode_hyper(p, res); 2852 p = xdr_decode_hyper(p, res);
2775 bitmap[0] &= ~FATTR4_WORD0_FILES_TOTAL; 2853 bitmap[0] &= ~FATTR4_WORD0_FILES_TOTAL;
2776 } 2854 }
2777 dprintk("%s: files total=%Lu\n", __func__, (unsigned long long)*res); 2855 dprintk("%s: files total=%Lu\n", __func__, (unsigned long long)*res);
2778 return status; 2856 return status;
2857out_overflow:
2858 print_overflow_msg(__func__, xdr);
2859 return -EIO;
2779} 2860}
2780 2861
2781static int decode_pathname(struct xdr_stream *xdr, struct nfs4_pathname *path) 2862static int decode_pathname(struct xdr_stream *xdr, struct nfs4_pathname *path)
@@ -2784,7 +2865,9 @@ static int decode_pathname(struct xdr_stream *xdr, struct nfs4_pathname *path)
2784 __be32 *p; 2865 __be32 *p;
2785 int status = 0; 2866 int status = 0;
2786 2867
2787 READ_BUF(4); 2868 p = xdr_inline_decode(xdr, 4);
2869 if (unlikely(!p))
2870 goto out_overflow;
2788 n = be32_to_cpup(p++); 2871 n = be32_to_cpup(p++);
2789 if (n == 0) 2872 if (n == 0)
2790 goto root_path; 2873 goto root_path;
@@ -2819,6 +2902,9 @@ out_eio:
2819 dprintk(" status %d", status); 2902 dprintk(" status %d", status);
2820 status = -EIO; 2903 status = -EIO;
2821 goto out; 2904 goto out;
2905out_overflow:
2906 print_overflow_msg(__func__, xdr);
2907 return -EIO;
2822} 2908}
2823 2909
2824static int decode_attr_fs_locations(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs4_fs_locations *res) 2910static int decode_attr_fs_locations(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs4_fs_locations *res)
@@ -2836,7 +2922,9 @@ static int decode_attr_fs_locations(struct xdr_stream *xdr, uint32_t *bitmap, st
2836 status = decode_pathname(xdr, &res->fs_path); 2922 status = decode_pathname(xdr, &res->fs_path);
2837 if (unlikely(status != 0)) 2923 if (unlikely(status != 0))
2838 goto out; 2924 goto out;
2839 READ_BUF(4); 2925 p = xdr_inline_decode(xdr, 4);
2926 if (unlikely(!p))
2927 goto out_overflow;
2840 n = be32_to_cpup(p++); 2928 n = be32_to_cpup(p++);
2841 if (n <= 0) 2929 if (n <= 0)
2842 goto out_eio; 2930 goto out_eio;
@@ -2845,7 +2933,9 @@ static int decode_attr_fs_locations(struct xdr_stream *xdr, uint32_t *bitmap, st
2845 u32 m; 2933 u32 m;
2846 struct nfs4_fs_location *loc = &res->locations[res->nlocations]; 2934 struct nfs4_fs_location *loc = &res->locations[res->nlocations];
2847 2935
2848 READ_BUF(4); 2936 p = xdr_inline_decode(xdr, 4);
2937 if (unlikely(!p))
2938 goto out_overflow;
2849 m = be32_to_cpup(p++); 2939 m = be32_to_cpup(p++);
2850 2940
2851 loc->nservers = 0; 2941 loc->nservers = 0;
@@ -2885,6 +2975,8 @@ static int decode_attr_fs_locations(struct xdr_stream *xdr, uint32_t *bitmap, st
2885out: 2975out:
2886 dprintk("%s: fs_locations done, error = %d\n", __func__, status); 2976 dprintk("%s: fs_locations done, error = %d\n", __func__, status);
2887 return status; 2977 return status;
2978out_overflow:
2979 print_overflow_msg(__func__, xdr);
2888out_eio: 2980out_eio:
2889 status = -EIO; 2981 status = -EIO;
2890 goto out; 2982 goto out;
@@ -2899,12 +2991,17 @@ static int decode_attr_maxfilesize(struct xdr_stream *xdr, uint32_t *bitmap, uin
2899 if (unlikely(bitmap[0] & (FATTR4_WORD0_MAXFILESIZE - 1U))) 2991 if (unlikely(bitmap[0] & (FATTR4_WORD0_MAXFILESIZE - 1U)))
2900 return -EIO; 2992 return -EIO;
2901 if (likely(bitmap[0] & FATTR4_WORD0_MAXFILESIZE)) { 2993 if (likely(bitmap[0] & FATTR4_WORD0_MAXFILESIZE)) {
2902 READ_BUF(8); 2994 p = xdr_inline_decode(xdr, 8);
2995 if (unlikely(!p))
2996 goto out_overflow;
2903 p = xdr_decode_hyper(p, res); 2997 p = xdr_decode_hyper(p, res);
2904 bitmap[0] &= ~FATTR4_WORD0_MAXFILESIZE; 2998 bitmap[0] &= ~FATTR4_WORD0_MAXFILESIZE;
2905 } 2999 }
2906 dprintk("%s: maxfilesize=%Lu\n", __func__, (unsigned long long)*res); 3000 dprintk("%s: maxfilesize=%Lu\n", __func__, (unsigned long long)*res);
2907 return status; 3001 return status;
3002out_overflow:
3003 print_overflow_msg(__func__, xdr);
3004 return -EIO;
2908} 3005}
2909 3006
2910static int decode_attr_maxlink(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *maxlink) 3007static int decode_attr_maxlink(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *maxlink)
@@ -2916,12 +3013,17 @@ static int decode_attr_maxlink(struct xdr_stream *xdr, uint32_t *bitmap, uint32_
2916 if (unlikely(bitmap[0] & (FATTR4_WORD0_MAXLINK - 1U))) 3013 if (unlikely(bitmap[0] & (FATTR4_WORD0_MAXLINK - 1U)))
2917 return -EIO; 3014 return -EIO;
2918 if (likely(bitmap[0] & FATTR4_WORD0_MAXLINK)) { 3015 if (likely(bitmap[0] & FATTR4_WORD0_MAXLINK)) {
2919 READ_BUF(4); 3016 p = xdr_inline_decode(xdr, 4);
3017 if (unlikely(!p))
3018 goto out_overflow;
2920 *maxlink = be32_to_cpup(p++); 3019 *maxlink = be32_to_cpup(p++);
2921 bitmap[0] &= ~FATTR4_WORD0_MAXLINK; 3020 bitmap[0] &= ~FATTR4_WORD0_MAXLINK;
2922 } 3021 }
2923 dprintk("%s: maxlink=%u\n", __func__, *maxlink); 3022 dprintk("%s: maxlink=%u\n", __func__, *maxlink);
2924 return status; 3023 return status;
3024out_overflow:
3025 print_overflow_msg(__func__, xdr);
3026 return -EIO;
2925} 3027}
2926 3028
2927static int decode_attr_maxname(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *maxname) 3029static int decode_attr_maxname(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *maxname)
@@ -2933,12 +3035,17 @@ static int decode_attr_maxname(struct xdr_stream *xdr, uint32_t *bitmap, uint32_
2933 if (unlikely(bitmap[0] & (FATTR4_WORD0_MAXNAME - 1U))) 3035 if (unlikely(bitmap[0] & (FATTR4_WORD0_MAXNAME - 1U)))
2934 return -EIO; 3036 return -EIO;
2935 if (likely(bitmap[0] & FATTR4_WORD0_MAXNAME)) { 3037 if (likely(bitmap[0] & FATTR4_WORD0_MAXNAME)) {
2936 READ_BUF(4); 3038 p = xdr_inline_decode(xdr, 4);
3039 if (unlikely(!p))
3040 goto out_overflow;
2937 *maxname = be32_to_cpup(p++); 3041 *maxname = be32_to_cpup(p++);
2938 bitmap[0] &= ~FATTR4_WORD0_MAXNAME; 3042 bitmap[0] &= ~FATTR4_WORD0_MAXNAME;
2939 } 3043 }
2940 dprintk("%s: maxname=%u\n", __func__, *maxname); 3044 dprintk("%s: maxname=%u\n", __func__, *maxname);
2941 return status; 3045 return status;
3046out_overflow:
3047 print_overflow_msg(__func__, xdr);
3048 return -EIO;
2942} 3049}
2943 3050
2944static int decode_attr_maxread(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res) 3051static int decode_attr_maxread(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)
@@ -2951,7 +3058,9 @@ static int decode_attr_maxread(struct xdr_stream *xdr, uint32_t *bitmap, uint32_
2951 return -EIO; 3058 return -EIO;
2952 if (likely(bitmap[0] & FATTR4_WORD0_MAXREAD)) { 3059 if (likely(bitmap[0] & FATTR4_WORD0_MAXREAD)) {
2953 uint64_t maxread; 3060 uint64_t maxread;
2954 READ_BUF(8); 3061 p = xdr_inline_decode(xdr, 8);
3062 if (unlikely(!p))
3063 goto out_overflow;
2955 p = xdr_decode_hyper(p, &maxread); 3064 p = xdr_decode_hyper(p, &maxread);
2956 if (maxread > 0x7FFFFFFF) 3065 if (maxread > 0x7FFFFFFF)
2957 maxread = 0x7FFFFFFF; 3066 maxread = 0x7FFFFFFF;
@@ -2960,6 +3069,9 @@ static int decode_attr_maxread(struct xdr_stream *xdr, uint32_t *bitmap, uint32_
2960 } 3069 }
2961 dprintk("%s: maxread=%lu\n", __func__, (unsigned long)*res); 3070 dprintk("%s: maxread=%lu\n", __func__, (unsigned long)*res);
2962 return status; 3071 return status;
3072out_overflow:
3073 print_overflow_msg(__func__, xdr);
3074 return -EIO;
2963} 3075}
2964 3076
2965static int decode_attr_maxwrite(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res) 3077static int decode_attr_maxwrite(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)
@@ -2972,7 +3084,9 @@ static int decode_attr_maxwrite(struct xdr_stream *xdr, uint32_t *bitmap, uint32
2972 return -EIO; 3084 return -EIO;
2973 if (likely(bitmap[0] & FATTR4_WORD0_MAXWRITE)) { 3085 if (likely(bitmap[0] & FATTR4_WORD0_MAXWRITE)) {
2974 uint64_t maxwrite; 3086 uint64_t maxwrite;
2975 READ_BUF(8); 3087 p = xdr_inline_decode(xdr, 8);
3088 if (unlikely(!p))
3089 goto out_overflow;
2976 p = xdr_decode_hyper(p, &maxwrite); 3090 p = xdr_decode_hyper(p, &maxwrite);
2977 if (maxwrite > 0x7FFFFFFF) 3091 if (maxwrite > 0x7FFFFFFF)
2978 maxwrite = 0x7FFFFFFF; 3092 maxwrite = 0x7FFFFFFF;
@@ -2981,6 +3095,9 @@ static int decode_attr_maxwrite(struct xdr_stream *xdr, uint32_t *bitmap, uint32
2981 } 3095 }
2982 dprintk("%s: maxwrite=%lu\n", __func__, (unsigned long)*res); 3096 dprintk("%s: maxwrite=%lu\n", __func__, (unsigned long)*res);
2983 return status; 3097 return status;
3098out_overflow:
3099 print_overflow_msg(__func__, xdr);
3100 return -EIO;
2984} 3101}
2985 3102
2986static int decode_attr_mode(struct xdr_stream *xdr, uint32_t *bitmap, umode_t *mode) 3103static int decode_attr_mode(struct xdr_stream *xdr, uint32_t *bitmap, umode_t *mode)
@@ -2993,7 +3110,9 @@ static int decode_attr_mode(struct xdr_stream *xdr, uint32_t *bitmap, umode_t *m
2993 if (unlikely(bitmap[1] & (FATTR4_WORD1_MODE - 1U))) 3110 if (unlikely(bitmap[1] & (FATTR4_WORD1_MODE - 1U)))
2994 return -EIO; 3111 return -EIO;
2995 if (likely(bitmap[1] & FATTR4_WORD1_MODE)) { 3112 if (likely(bitmap[1] & FATTR4_WORD1_MODE)) {
2996 READ_BUF(4); 3113 p = xdr_inline_decode(xdr, 4);
3114 if (unlikely(!p))
3115 goto out_overflow;
2997 tmp = be32_to_cpup(p++); 3116 tmp = be32_to_cpup(p++);
2998 *mode = tmp & ~S_IFMT; 3117 *mode = tmp & ~S_IFMT;
2999 bitmap[1] &= ~FATTR4_WORD1_MODE; 3118 bitmap[1] &= ~FATTR4_WORD1_MODE;
@@ -3001,6 +3120,9 @@ static int decode_attr_mode(struct xdr_stream *xdr, uint32_t *bitmap, umode_t *m
3001 } 3120 }
3002 dprintk("%s: file mode=0%o\n", __func__, (unsigned int)*mode); 3121 dprintk("%s: file mode=0%o\n", __func__, (unsigned int)*mode);
3003 return ret; 3122 return ret;
3123out_overflow:
3124 print_overflow_msg(__func__, xdr);
3125 return -EIO;
3004} 3126}
3005 3127
3006static int decode_attr_nlink(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *nlink) 3128static int decode_attr_nlink(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *nlink)
@@ -3012,13 +3134,18 @@ static int decode_attr_nlink(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t
3012 if (unlikely(bitmap[1] & (FATTR4_WORD1_NUMLINKS - 1U))) 3134 if (unlikely(bitmap[1] & (FATTR4_WORD1_NUMLINKS - 1U)))
3013 return -EIO; 3135 return -EIO;
3014 if (likely(bitmap[1] & FATTR4_WORD1_NUMLINKS)) { 3136 if (likely(bitmap[1] & FATTR4_WORD1_NUMLINKS)) {
3015 READ_BUF(4); 3137 p = xdr_inline_decode(xdr, 4);
3138 if (unlikely(!p))
3139 goto out_overflow;
3016 *nlink = be32_to_cpup(p++); 3140 *nlink = be32_to_cpup(p++);
3017 bitmap[1] &= ~FATTR4_WORD1_NUMLINKS; 3141 bitmap[1] &= ~FATTR4_WORD1_NUMLINKS;
3018 ret = NFS_ATTR_FATTR_NLINK; 3142 ret = NFS_ATTR_FATTR_NLINK;
3019 } 3143 }
3020 dprintk("%s: nlink=%u\n", __func__, (unsigned int)*nlink); 3144 dprintk("%s: nlink=%u\n", __func__, (unsigned int)*nlink);
3021 return ret; 3145 return ret;
3146out_overflow:
3147 print_overflow_msg(__func__, xdr);
3148 return -EIO;
3022} 3149}
3023 3150
3024static int decode_attr_owner(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs_client *clp, uint32_t *uid) 3151static int decode_attr_owner(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs_client *clp, uint32_t *uid)
@@ -3031,9 +3158,13 @@ static int decode_attr_owner(struct xdr_stream *xdr, uint32_t *bitmap, struct nf
3031 if (unlikely(bitmap[1] & (FATTR4_WORD1_OWNER - 1U))) 3158 if (unlikely(bitmap[1] & (FATTR4_WORD1_OWNER - 1U)))
3032 return -EIO; 3159 return -EIO;
3033 if (likely(bitmap[1] & FATTR4_WORD1_OWNER)) { 3160 if (likely(bitmap[1] & FATTR4_WORD1_OWNER)) {
3034 READ_BUF(4); 3161 p = xdr_inline_decode(xdr, 4);
3162 if (unlikely(!p))
3163 goto out_overflow;
3035 len = be32_to_cpup(p++); 3164 len = be32_to_cpup(p++);
3036 READ_BUF(len); 3165 p = xdr_inline_decode(xdr, len);
3166 if (unlikely(!p))
3167 goto out_overflow;
3037 if (len < XDR_MAX_NETOBJ) { 3168 if (len < XDR_MAX_NETOBJ) {
3038 if (nfs_map_name_to_uid(clp, (char *)p, len, uid) == 0) 3169 if (nfs_map_name_to_uid(clp, (char *)p, len, uid) == 0)
3039 ret = NFS_ATTR_FATTR_OWNER; 3170 ret = NFS_ATTR_FATTR_OWNER;
@@ -3047,6 +3178,9 @@ static int decode_attr_owner(struct xdr_stream *xdr, uint32_t *bitmap, struct nf
3047 } 3178 }
3048 dprintk("%s: uid=%d\n", __func__, (int)*uid); 3179 dprintk("%s: uid=%d\n", __func__, (int)*uid);
3049 return ret; 3180 return ret;
3181out_overflow:
3182 print_overflow_msg(__func__, xdr);
3183 return -EIO;
3050} 3184}
3051 3185
3052static int decode_attr_group(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs_client *clp, uint32_t *gid) 3186static int decode_attr_group(struct xdr_stream *xdr, uint32_t *bitmap, struct nfs_client *clp, uint32_t *gid)
@@ -3059,9 +3193,13 @@ static int decode_attr_group(struct xdr_stream *xdr, uint32_t *bitmap, struct nf
3059 if (unlikely(bitmap[1] & (FATTR4_WORD1_OWNER_GROUP - 1U))) 3193 if (unlikely(bitmap[1] & (FATTR4_WORD1_OWNER_GROUP - 1U)))
3060 return -EIO; 3194 return -EIO;
3061 if (likely(bitmap[1] & FATTR4_WORD1_OWNER_GROUP)) { 3195 if (likely(bitmap[1] & FATTR4_WORD1_OWNER_GROUP)) {
3062 READ_BUF(4); 3196 p = xdr_inline_decode(xdr, 4);
3197 if (unlikely(!p))
3198 goto out_overflow;
3063 len = be32_to_cpup(p++); 3199 len = be32_to_cpup(p++);
3064 READ_BUF(len); 3200 p = xdr_inline_decode(xdr, len);
3201 if (unlikely(!p))
3202 goto out_overflow;
3065 if (len < XDR_MAX_NETOBJ) { 3203 if (len < XDR_MAX_NETOBJ) {
3066 if (nfs_map_group_to_gid(clp, (char *)p, len, gid) == 0) 3204 if (nfs_map_group_to_gid(clp, (char *)p, len, gid) == 0)
3067 ret = NFS_ATTR_FATTR_GROUP; 3205 ret = NFS_ATTR_FATTR_GROUP;
@@ -3075,6 +3213,9 @@ static int decode_attr_group(struct xdr_stream *xdr, uint32_t *bitmap, struct nf
3075 } 3213 }
3076 dprintk("%s: gid=%d\n", __func__, (int)*gid); 3214 dprintk("%s: gid=%d\n", __func__, (int)*gid);
3077 return ret; 3215 return ret;
3216out_overflow:
3217 print_overflow_msg(__func__, xdr);
3218 return -EIO;
3078} 3219}
3079 3220
3080static int decode_attr_rdev(struct xdr_stream *xdr, uint32_t *bitmap, dev_t *rdev) 3221static int decode_attr_rdev(struct xdr_stream *xdr, uint32_t *bitmap, dev_t *rdev)
@@ -3089,7 +3230,9 @@ static int decode_attr_rdev(struct xdr_stream *xdr, uint32_t *bitmap, dev_t *rde
3089 if (likely(bitmap[1] & FATTR4_WORD1_RAWDEV)) { 3230 if (likely(bitmap[1] & FATTR4_WORD1_RAWDEV)) {
3090 dev_t tmp; 3231 dev_t tmp;
3091 3232
3092 READ_BUF(8); 3233 p = xdr_inline_decode(xdr, 8);
3234 if (unlikely(!p))
3235 goto out_overflow;
3093 major = be32_to_cpup(p++); 3236 major = be32_to_cpup(p++);
3094 minor = be32_to_cpup(p++); 3237 minor = be32_to_cpup(p++);
3095 tmp = MKDEV(major, minor); 3238 tmp = MKDEV(major, minor);
@@ -3100,6 +3243,9 @@ static int decode_attr_rdev(struct xdr_stream *xdr, uint32_t *bitmap, dev_t *rde
3100 } 3243 }
3101 dprintk("%s: rdev=(0x%x:0x%x)\n", __func__, major, minor); 3244 dprintk("%s: rdev=(0x%x:0x%x)\n", __func__, major, minor);
3102 return ret; 3245 return ret;
3246out_overflow:
3247 print_overflow_msg(__func__, xdr);
3248 return -EIO;
3103} 3249}
3104 3250
3105static int decode_attr_space_avail(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res) 3251static int decode_attr_space_avail(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)
@@ -3111,12 +3257,17 @@ static int decode_attr_space_avail(struct xdr_stream *xdr, uint32_t *bitmap, uin
3111 if (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_AVAIL - 1U))) 3257 if (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_AVAIL - 1U)))
3112 return -EIO; 3258 return -EIO;
3113 if (likely(bitmap[1] & FATTR4_WORD1_SPACE_AVAIL)) { 3259 if (likely(bitmap[1] & FATTR4_WORD1_SPACE_AVAIL)) {
3114 READ_BUF(8); 3260 p = xdr_inline_decode(xdr, 8);
3261 if (unlikely(!p))
3262 goto out_overflow;
3115 p = xdr_decode_hyper(p, res); 3263 p = xdr_decode_hyper(p, res);
3116 bitmap[1] &= ~FATTR4_WORD1_SPACE_AVAIL; 3264 bitmap[1] &= ~FATTR4_WORD1_SPACE_AVAIL;
3117 } 3265 }
3118 dprintk("%s: space avail=%Lu\n", __func__, (unsigned long long)*res); 3266 dprintk("%s: space avail=%Lu\n", __func__, (unsigned long long)*res);
3119 return status; 3267 return status;
3268out_overflow:
3269 print_overflow_msg(__func__, xdr);
3270 return -EIO;
3120} 3271}
3121 3272
3122static int decode_attr_space_free(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res) 3273static int decode_attr_space_free(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)
@@ -3128,12 +3279,17 @@ static int decode_attr_space_free(struct xdr_stream *xdr, uint32_t *bitmap, uint
3128 if (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_FREE - 1U))) 3279 if (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_FREE - 1U)))
3129 return -EIO; 3280 return -EIO;
3130 if (likely(bitmap[1] & FATTR4_WORD1_SPACE_FREE)) { 3281 if (likely(bitmap[1] & FATTR4_WORD1_SPACE_FREE)) {
3131 READ_BUF(8); 3282 p = xdr_inline_decode(xdr, 8);
3283 if (unlikely(!p))
3284 goto out_overflow;
3132 p = xdr_decode_hyper(p, res); 3285 p = xdr_decode_hyper(p, res);
3133 bitmap[1] &= ~FATTR4_WORD1_SPACE_FREE; 3286 bitmap[1] &= ~FATTR4_WORD1_SPACE_FREE;
3134 } 3287 }
3135 dprintk("%s: space free=%Lu\n", __func__, (unsigned long long)*res); 3288 dprintk("%s: space free=%Lu\n", __func__, (unsigned long long)*res);
3136 return status; 3289 return status;
3290out_overflow:
3291 print_overflow_msg(__func__, xdr);
3292 return -EIO;
3137} 3293}
3138 3294
3139static int decode_attr_space_total(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res) 3295static int decode_attr_space_total(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *res)
@@ -3145,12 +3301,17 @@ static int decode_attr_space_total(struct xdr_stream *xdr, uint32_t *bitmap, uin
3145 if (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_TOTAL - 1U))) 3301 if (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_TOTAL - 1U)))
3146 return -EIO; 3302 return -EIO;
3147 if (likely(bitmap[1] & FATTR4_WORD1_SPACE_TOTAL)) { 3303 if (likely(bitmap[1] & FATTR4_WORD1_SPACE_TOTAL)) {
3148 READ_BUF(8); 3304 p = xdr_inline_decode(xdr, 8);
3305 if (unlikely(!p))
3306 goto out_overflow;
3149 p = xdr_decode_hyper(p, res); 3307 p = xdr_decode_hyper(p, res);
3150 bitmap[1] &= ~FATTR4_WORD1_SPACE_TOTAL; 3308 bitmap[1] &= ~FATTR4_WORD1_SPACE_TOTAL;
3151 } 3309 }
3152 dprintk("%s: space total=%Lu\n", __func__, (unsigned long long)*res); 3310 dprintk("%s: space total=%Lu\n", __func__, (unsigned long long)*res);
3153 return status; 3311 return status;
3312out_overflow:
3313 print_overflow_msg(__func__, xdr);
3314 return -EIO;
3154} 3315}
3155 3316
3156static int decode_attr_space_used(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *used) 3317static int decode_attr_space_used(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *used)
@@ -3162,7 +3323,9 @@ static int decode_attr_space_used(struct xdr_stream *xdr, uint32_t *bitmap, uint
3162 if (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_USED - 1U))) 3323 if (unlikely(bitmap[1] & (FATTR4_WORD1_SPACE_USED - 1U)))
3163 return -EIO; 3324 return -EIO;
3164 if (likely(bitmap[1] & FATTR4_WORD1_SPACE_USED)) { 3325 if (likely(bitmap[1] & FATTR4_WORD1_SPACE_USED)) {
3165 READ_BUF(8); 3326 p = xdr_inline_decode(xdr, 8);
3327 if (unlikely(!p))
3328 goto out_overflow;
3166 p = xdr_decode_hyper(p, used); 3329 p = xdr_decode_hyper(p, used);
3167 bitmap[1] &= ~FATTR4_WORD1_SPACE_USED; 3330 bitmap[1] &= ~FATTR4_WORD1_SPACE_USED;
3168 ret = NFS_ATTR_FATTR_SPACE_USED; 3331 ret = NFS_ATTR_FATTR_SPACE_USED;
@@ -3170,6 +3333,9 @@ static int decode_attr_space_used(struct xdr_stream *xdr, uint32_t *bitmap, uint
3170 dprintk("%s: space used=%Lu\n", __func__, 3333 dprintk("%s: space used=%Lu\n", __func__,
3171 (unsigned long long)*used); 3334 (unsigned long long)*used);
3172 return ret; 3335 return ret;
3336out_overflow:
3337 print_overflow_msg(__func__, xdr);
3338 return -EIO;
3173} 3339}
3174 3340
3175static int decode_attr_time(struct xdr_stream *xdr, struct timespec *time) 3341static int decode_attr_time(struct xdr_stream *xdr, struct timespec *time)
@@ -3178,12 +3344,17 @@ static int decode_attr_time(struct xdr_stream *xdr, struct timespec *time)
3178 uint64_t sec; 3344 uint64_t sec;
3179 uint32_t nsec; 3345 uint32_t nsec;
3180 3346
3181 READ_BUF(12); 3347 p = xdr_inline_decode(xdr, 12);
3348 if (unlikely(!p))
3349 goto out_overflow;
3182 p = xdr_decode_hyper(p, &sec); 3350 p = xdr_decode_hyper(p, &sec);
3183 nsec = be32_to_cpup(p++); 3351 nsec = be32_to_cpup(p++);
3184 time->tv_sec = (time_t)sec; 3352 time->tv_sec = (time_t)sec;
3185 time->tv_nsec = (long)nsec; 3353 time->tv_nsec = (long)nsec;
3186 return 0; 3354 return 0;
3355out_overflow:
3356 print_overflow_msg(__func__, xdr);
3357 return -EIO;
3187} 3358}
3188 3359
3189static int decode_attr_time_access(struct xdr_stream *xdr, uint32_t *bitmap, struct timespec *time) 3360static int decode_attr_time_access(struct xdr_stream *xdr, uint32_t *bitmap, struct timespec *time)
@@ -3261,11 +3432,16 @@ static int decode_change_info(struct xdr_stream *xdr, struct nfs4_change_info *c
3261{ 3432{
3262 __be32 *p; 3433 __be32 *p;
3263 3434
3264 READ_BUF(20); 3435 p = xdr_inline_decode(xdr, 20);
3436 if (unlikely(!p))
3437 goto out_overflow;
3265 cinfo->atomic = be32_to_cpup(p++); 3438 cinfo->atomic = be32_to_cpup(p++);
3266 p = xdr_decode_hyper(p, &cinfo->before); 3439 p = xdr_decode_hyper(p, &cinfo->before);
3267 p = xdr_decode_hyper(p, &cinfo->after); 3440 p = xdr_decode_hyper(p, &cinfo->after);
3268 return 0; 3441 return 0;
3442out_overflow:
3443 print_overflow_msg(__func__, xdr);
3444 return -EIO;
3269} 3445}
3270 3446
3271static int decode_access(struct xdr_stream *xdr, struct nfs4_accessres *access) 3447static int decode_access(struct xdr_stream *xdr, struct nfs4_accessres *access)
@@ -3277,12 +3453,17 @@ static int decode_access(struct xdr_stream *xdr, struct nfs4_accessres *access)
3277 status = decode_op_hdr(xdr, OP_ACCESS); 3453 status = decode_op_hdr(xdr, OP_ACCESS);
3278 if (status) 3454 if (status)
3279 return status; 3455 return status;
3280 READ_BUF(8); 3456 p = xdr_inline_decode(xdr, 8);
3457 if (unlikely(!p))
3458 goto out_overflow;
3281 supp = be32_to_cpup(p++); 3459 supp = be32_to_cpup(p++);
3282 acc = be32_to_cpup(p++); 3460 acc = be32_to_cpup(p++);
3283 access->supported = supp; 3461 access->supported = supp;
3284 access->access = acc; 3462 access->access = acc;
3285 return 0; 3463 return 0;
3464out_overflow:
3465 print_overflow_msg(__func__, xdr);
3466 return -EIO;
3286} 3467}
3287 3468
3288static int decode_opaque_fixed(struct xdr_stream *xdr, void *buf, size_t len) 3469static int decode_opaque_fixed(struct xdr_stream *xdr, void *buf, size_t len)
@@ -3341,10 +3522,16 @@ static int decode_create(struct xdr_stream *xdr, struct nfs4_change_info *cinfo)
3341 return status; 3522 return status;
3342 if ((status = decode_change_info(xdr, cinfo))) 3523 if ((status = decode_change_info(xdr, cinfo)))
3343 return status; 3524 return status;
3344 READ_BUF(4); 3525 p = xdr_inline_decode(xdr, 4);
3526 if (unlikely(!p))
3527 goto out_overflow;
3345 bmlen = be32_to_cpup(p++); 3528 bmlen = be32_to_cpup(p++);
3346 READ_BUF(bmlen << 2); 3529 p = xdr_inline_decode(xdr, bmlen << 2);
3347 return 0; 3530 if (likely(p))
3531 return 0;
3532out_overflow:
3533 print_overflow_msg(__func__, xdr);
3534 return -EIO;
3348} 3535}
3349 3536
3350static int decode_server_caps(struct xdr_stream *xdr, struct nfs4_server_caps_res *res) 3537static int decode_server_caps(struct xdr_stream *xdr, struct nfs4_server_caps_res *res)
@@ -3596,14 +3783,21 @@ static int decode_getfh(struct xdr_stream *xdr, struct nfs_fh *fh)
3596 if (status) 3783 if (status)
3597 return status; 3784 return status;
3598 3785
3599 READ_BUF(4); 3786 p = xdr_inline_decode(xdr, 4);
3787 if (unlikely(!p))
3788 goto out_overflow;
3600 len = be32_to_cpup(p++); 3789 len = be32_to_cpup(p++);
3601 if (len > NFS4_FHSIZE) 3790 if (len > NFS4_FHSIZE)
3602 return -EIO; 3791 return -EIO;
3603 fh->size = len; 3792 fh->size = len;
3604 READ_BUF(len); 3793 p = xdr_inline_decode(xdr, len);
3794 if (unlikely(!p))
3795 goto out_overflow;
3605 memcpy(fh->data, p, len); 3796 memcpy(fh->data, p, len);
3606 return 0; 3797 return 0;
3798out_overflow:
3799 print_overflow_msg(__func__, xdr);
3800 return -EIO;
3607} 3801}
3608 3802
3609static int decode_link(struct xdr_stream *xdr, struct nfs4_change_info *cinfo) 3803static int decode_link(struct xdr_stream *xdr, struct nfs4_change_info *cinfo)
@@ -3625,7 +3819,9 @@ static int decode_lock_denied (struct xdr_stream *xdr, struct file_lock *fl)
3625 __be32 *p; 3819 __be32 *p;
3626 uint32_t namelen, type; 3820 uint32_t namelen, type;
3627 3821
3628 READ_BUF(32); 3822 p = xdr_inline_decode(xdr, 32);
3823 if (unlikely(!p))
3824 goto out_overflow;
3629 p = xdr_decode_hyper(p, &offset); 3825 p = xdr_decode_hyper(p, &offset);
3630 p = xdr_decode_hyper(p, &length); 3826 p = xdr_decode_hyper(p, &length);
3631 type = be32_to_cpup(p++); 3827 type = be32_to_cpup(p++);
@@ -3641,8 +3837,12 @@ static int decode_lock_denied (struct xdr_stream *xdr, struct file_lock *fl)
3641 } 3837 }
3642 p = xdr_decode_hyper(p, &clientid); 3838 p = xdr_decode_hyper(p, &clientid);
3643 namelen = be32_to_cpup(p++); 3839 namelen = be32_to_cpup(p++);
3644 READ_BUF(namelen); 3840 p = xdr_inline_decode(xdr, namelen);
3645 return -NFS4ERR_DENIED; 3841 if (likely(p))
3842 return -NFS4ERR_DENIED;
3843out_overflow:
3844 print_overflow_msg(__func__, xdr);
3845 return -EIO;
3646} 3846}
3647 3847
3648static int decode_lock(struct xdr_stream *xdr, struct nfs_lock_res *res) 3848static int decode_lock(struct xdr_stream *xdr, struct nfs_lock_res *res)
@@ -3697,7 +3897,9 @@ static int decode_space_limit(struct xdr_stream *xdr, u64 *maxsize)
3697 __be32 *p; 3897 __be32 *p;
3698 uint32_t limit_type, nblocks, blocksize; 3898 uint32_t limit_type, nblocks, blocksize;
3699 3899
3700 READ_BUF(12); 3900 p = xdr_inline_decode(xdr, 12);
3901 if (unlikely(!p))
3902 goto out_overflow;
3701 limit_type = be32_to_cpup(p++); 3903 limit_type = be32_to_cpup(p++);
3702 switch (limit_type) { 3904 switch (limit_type) {
3703 case 1: 3905 case 1:
@@ -3709,6 +3911,9 @@ static int decode_space_limit(struct xdr_stream *xdr, u64 *maxsize)
3709 *maxsize = (uint64_t)nblocks * (uint64_t)blocksize; 3911 *maxsize = (uint64_t)nblocks * (uint64_t)blocksize;
3710 } 3912 }
3711 return 0; 3913 return 0;
3914out_overflow:
3915 print_overflow_msg(__func__, xdr);
3916 return -EIO;
3712} 3917}
3713 3918
3714static int decode_delegation(struct xdr_stream *xdr, struct nfs_openres *res) 3919static int decode_delegation(struct xdr_stream *xdr, struct nfs_openres *res)
@@ -3717,7 +3922,9 @@ static int decode_delegation(struct xdr_stream *xdr, struct nfs_openres *res)
3717 uint32_t delegation_type; 3922 uint32_t delegation_type;
3718 int status; 3923 int status;
3719 3924
3720 READ_BUF(4); 3925 p = xdr_inline_decode(xdr, 4);
3926 if (unlikely(!p))
3927 goto out_overflow;
3721 delegation_type = be32_to_cpup(p++); 3928 delegation_type = be32_to_cpup(p++);
3722 if (delegation_type == NFS4_OPEN_DELEGATE_NONE) { 3929 if (delegation_type == NFS4_OPEN_DELEGATE_NONE) {
3723 res->delegation_type = 0; 3930 res->delegation_type = 0;
@@ -3726,7 +3933,9 @@ static int decode_delegation(struct xdr_stream *xdr, struct nfs_openres *res)
3726 status = decode_stateid(xdr, &res->delegation); 3933 status = decode_stateid(xdr, &res->delegation);
3727 if (unlikely(status)) 3934 if (unlikely(status))
3728 return status; 3935 return status;
3729 READ_BUF(4); 3936 p = xdr_inline_decode(xdr, 4);
3937 if (unlikely(!p))
3938 goto out_overflow;
3730 res->do_recall = be32_to_cpup(p++); 3939 res->do_recall = be32_to_cpup(p++);
3731 3940
3732 switch (delegation_type) { 3941 switch (delegation_type) {
@@ -3739,6 +3948,9 @@ static int decode_delegation(struct xdr_stream *xdr, struct nfs_openres *res)
3739 return -EIO; 3948 return -EIO;
3740 } 3949 }
3741 return decode_ace(xdr, NULL, res->server->nfs_client); 3950 return decode_ace(xdr, NULL, res->server->nfs_client);
3951out_overflow:
3952 print_overflow_msg(__func__, xdr);
3953 return -EIO;
3742} 3954}
3743 3955
3744static int decode_open(struct xdr_stream *xdr, struct nfs_openres *res) 3956static int decode_open(struct xdr_stream *xdr, struct nfs_openres *res)
@@ -3757,13 +3969,17 @@ static int decode_open(struct xdr_stream *xdr, struct nfs_openres *res)
3757 3969
3758 decode_change_info(xdr, &res->cinfo); 3970 decode_change_info(xdr, &res->cinfo);
3759 3971
3760 READ_BUF(8); 3972 p = xdr_inline_decode(xdr, 8);
3973 if (unlikely(!p))
3974 goto out_overflow;
3761 res->rflags = be32_to_cpup(p++); 3975 res->rflags = be32_to_cpup(p++);
3762 bmlen = be32_to_cpup(p++); 3976 bmlen = be32_to_cpup(p++);
3763 if (bmlen > 10) 3977 if (bmlen > 10)
3764 goto xdr_error; 3978 goto xdr_error;
3765 3979
3766 READ_BUF(bmlen << 2); 3980 p = xdr_inline_decode(xdr, bmlen << 2);
3981 if (unlikely(!p))
3982 goto out_overflow;
3767 savewords = min_t(uint32_t, bmlen, NFS4_BITMAP_SIZE); 3983 savewords = min_t(uint32_t, bmlen, NFS4_BITMAP_SIZE);
3768 for (i = 0; i < savewords; ++i) 3984 for (i = 0; i < savewords; ++i)
3769 res->attrset[i] = be32_to_cpup(p++); 3985 res->attrset[i] = be32_to_cpup(p++);
@@ -3774,6 +3990,9 @@ static int decode_open(struct xdr_stream *xdr, struct nfs_openres *res)
3774xdr_error: 3990xdr_error:
3775 dprintk("%s: Bitmap too large! Length = %u\n", __func__, bmlen); 3991 dprintk("%s: Bitmap too large! Length = %u\n", __func__, bmlen);
3776 return -EIO; 3992 return -EIO;
3993out_overflow:
3994 print_overflow_msg(__func__, xdr);
3995 return -EIO;
3777} 3996}
3778 3997
3779static int decode_open_confirm(struct xdr_stream *xdr, struct nfs_open_confirmres *res) 3998static int decode_open_confirm(struct xdr_stream *xdr, struct nfs_open_confirmres *res)
@@ -3820,7 +4039,9 @@ static int decode_read(struct xdr_stream *xdr, struct rpc_rqst *req, struct nfs_
3820 status = decode_op_hdr(xdr, OP_READ); 4039 status = decode_op_hdr(xdr, OP_READ);
3821 if (status) 4040 if (status)
3822 return status; 4041 return status;
3823 READ_BUF(8); 4042 p = xdr_inline_decode(xdr, 8);
4043 if (unlikely(!p))
4044 goto out_overflow;
3824 eof = be32_to_cpup(p++); 4045 eof = be32_to_cpup(p++);
3825 count = be32_to_cpup(p++); 4046 count = be32_to_cpup(p++);
3826 hdrlen = (u8 *) p - (u8 *) iov->iov_base; 4047 hdrlen = (u8 *) p - (u8 *) iov->iov_base;
@@ -3835,6 +4056,9 @@ static int decode_read(struct xdr_stream *xdr, struct rpc_rqst *req, struct nfs_
3835 res->eof = eof; 4056 res->eof = eof;
3836 res->count = count; 4057 res->count = count;
3837 return 0; 4058 return 0;
4059out_overflow:
4060 print_overflow_msg(__func__, xdr);
4061 return -EIO;
3838} 4062}
3839 4063
3840static int decode_readdir(struct xdr_stream *xdr, struct rpc_rqst *req, struct nfs4_readdir_res *readdir) 4064static int decode_readdir(struct xdr_stream *xdr, struct rpc_rqst *req, struct nfs4_readdir_res *readdir)
@@ -3947,7 +4171,9 @@ static int decode_readlink(struct xdr_stream *xdr, struct rpc_rqst *req)
3947 return status; 4171 return status;
3948 4172
3949 /* Convert length of symlink */ 4173 /* Convert length of symlink */
3950 READ_BUF(4); 4174 p = xdr_inline_decode(xdr, 4);
4175 if (unlikely(!p))
4176 goto out_overflow;
3951 len = be32_to_cpup(p++); 4177 len = be32_to_cpup(p++);
3952 if (len >= rcvbuf->page_len || len <= 0) { 4178 if (len >= rcvbuf->page_len || len <= 0) {
3953 dprintk("nfs: server returned giant symlink!\n"); 4179 dprintk("nfs: server returned giant symlink!\n");
@@ -3972,6 +4198,9 @@ static int decode_readlink(struct xdr_stream *xdr, struct rpc_rqst *req)
3972 kaddr[len+rcvbuf->page_base] = '\0'; 4198 kaddr[len+rcvbuf->page_base] = '\0';
3973 kunmap_atomic(kaddr, KM_USER0); 4199 kunmap_atomic(kaddr, KM_USER0);
3974 return 0; 4200 return 0;
4201out_overflow:
4202 print_overflow_msg(__func__, xdr);
4203 return -EIO;
3975} 4204}
3976 4205
3977static int decode_remove(struct xdr_stream *xdr, struct nfs4_change_info *cinfo) 4206static int decode_remove(struct xdr_stream *xdr, struct nfs4_change_info *cinfo)
@@ -4069,10 +4298,16 @@ static int decode_setattr(struct xdr_stream *xdr)
4069 status = decode_op_hdr(xdr, OP_SETATTR); 4298 status = decode_op_hdr(xdr, OP_SETATTR);
4070 if (status) 4299 if (status)
4071 return status; 4300 return status;
4072 READ_BUF(4); 4301 p = xdr_inline_decode(xdr, 4);
4302 if (unlikely(!p))
4303 goto out_overflow;
4073 bmlen = be32_to_cpup(p++); 4304 bmlen = be32_to_cpup(p++);
4074 READ_BUF(bmlen << 2); 4305 p = xdr_inline_decode(xdr, bmlen << 2);
4075 return 0; 4306 if (likely(p))
4307 return 0;
4308out_overflow:
4309 print_overflow_msg(__func__, xdr);
4310 return -EIO;
4076} 4311}
4077 4312
4078static int decode_setclientid(struct xdr_stream *xdr, struct nfs_client *clp) 4313static int decode_setclientid(struct xdr_stream *xdr, struct nfs_client *clp)
@@ -4081,7 +4316,9 @@ static int decode_setclientid(struct xdr_stream *xdr, struct nfs_client *clp)
4081 uint32_t opnum; 4316 uint32_t opnum;
4082 int32_t nfserr; 4317 int32_t nfserr;
4083 4318
4084 READ_BUF(8); 4319 p = xdr_inline_decode(xdr, 8);
4320 if (unlikely(!p))
4321 goto out_overflow;
4085 opnum = be32_to_cpup(p++); 4322 opnum = be32_to_cpup(p++);
4086 if (opnum != OP_SETCLIENTID) { 4323 if (opnum != OP_SETCLIENTID) {
4087 dprintk("nfs: decode_setclientid: Server returned operation" 4324 dprintk("nfs: decode_setclientid: Server returned operation"
@@ -4090,26 +4327,39 @@ static int decode_setclientid(struct xdr_stream *xdr, struct nfs_client *clp)
4090 } 4327 }
4091 nfserr = be32_to_cpup(p++); 4328 nfserr = be32_to_cpup(p++);
4092 if (nfserr == NFS_OK) { 4329 if (nfserr == NFS_OK) {
4093 READ_BUF(8 + NFS4_VERIFIER_SIZE); 4330 p = xdr_inline_decode(xdr, 8 + NFS4_VERIFIER_SIZE);
4331 if (unlikely(!p))
4332 goto out_overflow;
4094 p = xdr_decode_hyper(p, &clp->cl_clientid); 4333 p = xdr_decode_hyper(p, &clp->cl_clientid);
4095 memcpy(clp->cl_confirm.data, p, NFS4_VERIFIER_SIZE); 4334 memcpy(clp->cl_confirm.data, p, NFS4_VERIFIER_SIZE);
4096 } else if (nfserr == NFSERR_CLID_INUSE) { 4335 } else if (nfserr == NFSERR_CLID_INUSE) {
4097 uint32_t len; 4336 uint32_t len;
4098 4337
4099 /* skip netid string */ 4338 /* skip netid string */
4100 READ_BUF(4); 4339 p = xdr_inline_decode(xdr, 4);
4340 if (unlikely(!p))
4341 goto out_overflow;
4101 len = be32_to_cpup(p++); 4342 len = be32_to_cpup(p++);
4102 READ_BUF(len); 4343 p = xdr_inline_decode(xdr, len);
4344 if (unlikely(!p))
4345 goto out_overflow;
4103 4346
4104 /* skip uaddr string */ 4347 /* skip uaddr string */
4105 READ_BUF(4); 4348 p = xdr_inline_decode(xdr, 4);
4349 if (unlikely(!p))
4350 goto out_overflow;
4106 len = be32_to_cpup(p++); 4351 len = be32_to_cpup(p++);
4107 READ_BUF(len); 4352 p = xdr_inline_decode(xdr, len);
4353 if (unlikely(!p))
4354 goto out_overflow;
4108 return -NFSERR_CLID_INUSE; 4355 return -NFSERR_CLID_INUSE;
4109 } else 4356 } else
4110 return nfs4_stat_to_errno(nfserr); 4357 return nfs4_stat_to_errno(nfserr);
4111 4358
4112 return 0; 4359 return 0;
4360out_overflow:
4361 print_overflow_msg(__func__, xdr);
4362 return -EIO;
4113} 4363}
4114 4364
4115static int decode_setclientid_confirm(struct xdr_stream *xdr) 4365static int decode_setclientid_confirm(struct xdr_stream *xdr)
@@ -4126,11 +4376,16 @@ static int decode_write(struct xdr_stream *xdr, struct nfs_writeres *res)
4126 if (status) 4376 if (status)
4127 return status; 4377 return status;
4128 4378
4129 READ_BUF(16); 4379 p = xdr_inline_decode(xdr, 16);
4380 if (unlikely(!p))
4381 goto out_overflow;
4130 res->count = be32_to_cpup(p++); 4382 res->count = be32_to_cpup(p++);
4131 res->verf->committed = be32_to_cpup(p++); 4383 res->verf->committed = be32_to_cpup(p++);
4132 memcpy(res->verf->verifier, p, 8); 4384 memcpy(res->verf->verifier, p, 8);
4133 return 0; 4385 return 0;
4386out_overflow:
4387 print_overflow_msg(__func__, xdr);
4388 return -EIO;
4134} 4389}
4135 4390
4136static int decode_delegreturn(struct xdr_stream *xdr) 4391static int decode_delegreturn(struct xdr_stream *xdr)
@@ -4152,9 +4407,13 @@ static int decode_exchange_id(struct xdr_stream *xdr,
4152 if (status) 4407 if (status)
4153 return status; 4408 return status;
4154 4409
4155 READ_BUF(8); 4410 p = xdr_inline_decode(xdr, 8);
4411 if (unlikely(!p))
4412 goto out_overflow;
4156 p = xdr_decode_hyper(p, &clp->cl_ex_clid); 4413 p = xdr_decode_hyper(p, &clp->cl_ex_clid);
4157 READ_BUF(12); 4414 p = xdr_inline_decode(xdr, 12);
4415 if (unlikely(!p))
4416 goto out_overflow;
4158 clp->cl_seqid = be32_to_cpup(p++); 4417 clp->cl_seqid = be32_to_cpup(p++);
4159 clp->cl_exchange_flags = be32_to_cpup(p++); 4418 clp->cl_exchange_flags = be32_to_cpup(p++);
4160 4419
@@ -4164,7 +4423,9 @@ static int decode_exchange_id(struct xdr_stream *xdr,
4164 return -EIO; 4423 return -EIO;
4165 4424
4166 /* Throw away minor_id */ 4425 /* Throw away minor_id */
4167 READ_BUF(8); 4426 p = xdr_inline_decode(xdr, 8);
4427 if (unlikely(!p))
4428 goto out_overflow;
4168 4429
4169 /* Throw away Major id */ 4430 /* Throw away Major id */
4170 status = decode_opaque_inline(xdr, &dummy, &dummy_str); 4431 status = decode_opaque_inline(xdr, &dummy, &dummy_str);
@@ -4182,6 +4443,9 @@ static int decode_exchange_id(struct xdr_stream *xdr,
4182 return status; 4443 return status;
4183 4444
4184 return 0; 4445 return 0;
4446out_overflow:
4447 print_overflow_msg(__func__, xdr);
4448 return -EIO;
4185} 4449}
4186 4450
4187static int decode_chan_attrs(struct xdr_stream *xdr, 4451static int decode_chan_attrs(struct xdr_stream *xdr,
@@ -4190,7 +4454,9 @@ static int decode_chan_attrs(struct xdr_stream *xdr,
4190 __be32 *p; 4454 __be32 *p;
4191 u32 nr_attrs; 4455 u32 nr_attrs;
4192 4456
4193 READ_BUF(28); 4457 p = xdr_inline_decode(xdr, 28);
4458 if (unlikely(!p))
4459 goto out_overflow;
4194 attrs->headerpadsz = be32_to_cpup(p++); 4460 attrs->headerpadsz = be32_to_cpup(p++);
4195 attrs->max_rqst_sz = be32_to_cpup(p++); 4461 attrs->max_rqst_sz = be32_to_cpup(p++);
4196 attrs->max_resp_sz = be32_to_cpup(p++); 4462 attrs->max_resp_sz = be32_to_cpup(p++);
@@ -4203,9 +4469,15 @@ static int decode_chan_attrs(struct xdr_stream *xdr,
4203 __func__, nr_attrs); 4469 __func__, nr_attrs);
4204 return -EINVAL; 4470 return -EINVAL;
4205 } 4471 }
4206 if (nr_attrs == 1) 4472 if (nr_attrs == 1) {
4207 READ_BUF(4); /* skip rdma_attrs */ 4473 p = xdr_inline_decode(xdr, 4); /* skip rdma_attrs */
4474 if (unlikely(!p))
4475 goto out_overflow;
4476 }
4208 return 0; 4477 return 0;
4478out_overflow:
4479 print_overflow_msg(__func__, xdr);
4480 return -EIO;
4209} 4481}
4210 4482
4211static int decode_sessionid(struct xdr_stream *xdr, struct nfs4_sessionid *sid) 4483static int decode_sessionid(struct xdr_stream *xdr, struct nfs4_sessionid *sid)
@@ -4228,7 +4500,9 @@ static int decode_create_session(struct xdr_stream *xdr,
4228 return status; 4500 return status;
4229 4501
4230 /* seqid, flags */ 4502 /* seqid, flags */
4231 READ_BUF(8); 4503 p = xdr_inline_decode(xdr, 8);
4504 if (unlikely(!p))
4505 goto out_overflow;
4232 clp->cl_seqid = be32_to_cpup(p++); 4506 clp->cl_seqid = be32_to_cpup(p++);
4233 session->flags = be32_to_cpup(p++); 4507 session->flags = be32_to_cpup(p++);
4234 4508
@@ -4237,6 +4511,9 @@ static int decode_create_session(struct xdr_stream *xdr,
4237 if (!status) 4511 if (!status)
4238 status = decode_chan_attrs(xdr, &session->bc_attrs); 4512 status = decode_chan_attrs(xdr, &session->bc_attrs);
4239 return status; 4513 return status;
4514out_overflow:
4515 print_overflow_msg(__func__, xdr);
4516 return -EIO;
4240} 4517}
4241 4518
4242static int decode_destroy_session(struct xdr_stream *xdr, void *dummy) 4519static int decode_destroy_session(struct xdr_stream *xdr, void *dummy)
@@ -4277,7 +4554,9 @@ static int decode_sequence(struct xdr_stream *xdr,
4277 goto out_err; 4554 goto out_err;
4278 } 4555 }
4279 4556
4280 READ_BUF(20); 4557 p = xdr_inline_decode(xdr, 20);
4558 if (unlikely(!p))
4559 goto out_overflow;
4281 4560
4282 /* seqid */ 4561 /* seqid */
4283 slot = &res->sr_session->fc_slot_table.slots[res->sr_slotid]; 4562 slot = &res->sr_session->fc_slot_table.slots[res->sr_slotid];
@@ -4302,6 +4581,10 @@ static int decode_sequence(struct xdr_stream *xdr,
4302out_err: 4581out_err:
4303 res->sr_status = status; 4582 res->sr_status = status;
4304 return status; 4583 return status;
4584out_overflow:
4585 print_overflow_msg(__func__, xdr);
4586 status = -EIO;
4587 goto out_err;
4305#else /* CONFIG_NFS_V4_1 */ 4588#else /* CONFIG_NFS_V4_1 */
4306 return 0; 4589 return 0;
4307#endif /* CONFIG_NFS_V4_1 */ 4590#endif /* CONFIG_NFS_V4_1 */