1 files changed, 27 insertions, 0 deletions
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index e252aa79c94f..fe4ba68886d8 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1506,6 +1506,29 @@ nfsd4_replay_create_session(struct nfsd4_create_session *cr_ses,
        return slot->sl_status;
 }
+#define NFSD_MIN_REQ_HDR_SEQ_SZ ((\
+                        2 * 2 + /* credential,verifier: AUTH_NULL, length 0 */ \
+                        1 +     /* MIN tag is length with zero, only length */ \
+                        3 +     /* version, opcount, opcode */ \
+                        XDR_QUADLEN(NFS4_MAX_SESSIONID_LEN) + \
+                                /* seqid, slotID, slotID, cache */ \
+                        4 ) * sizeof(__be32))
+#define NFSD_MIN_RESP_HDR_SEQ_SZ ((\
+                        2 +     /* verifier: AUTH_NULL, length 0 */\
+                        1 +     /* status */ \
+                        1 +     /* MIN tag is length with zero, only length */ \
+                        3 +     /* opcount, opcode, opstatus*/ \
+                        XDR_QUADLEN(NFS4_MAX_SESSIONID_LEN) + \
+                                /* seqid, slotID, slotID, slotID, status */ \
+                        5 ) * sizeof(__be32))
+static __be32 check_forechannel_attrs(struct nfsd4_channel_attrs fchannel)
+{
+        return fchannel.maxreq_sz < NFSD_MIN_REQ_HDR_SEQ_SZ
+                || fchannel.maxresp_sz < NFSD_MIN_RESP_HDR_SEQ_SZ;
+}
 __be32
 nfsd4_create_session(struct svc_rqst *rqstp,
                     struct nfsd4_compound_state *cstate,
@@ -1574,6 +1597,10 @@ nfsd4_create_session(struct svc_rqst *rqstp,
        cr_ses->flags &= ~SESSION4_PERSIST;
        cr_ses->flags &= ~SESSION4_RDMA;
+        status = nfserr_toosmall;
+        if (check_forechannel_attrs(cr_ses->fore_channel))
+                goto out;
        status = nfserr_jukebox;
        new = alloc_init_session(rqstp, conf, cr_ses);
        if (!new)

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index e252aa79c94f..fe4ba68886d8 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c
@@ -1506,6 +1506,29 @@ nfsd4_replay_create_session(struct nfsd4_create_session *cr_ses,
1506	return slot->sl_status;	1506	return slot->sl_status;
1507	}	1507	}
1508		1508
		1509	#define NFSD_MIN_REQ_HDR_SEQ_SZ ((\
		1510	2 * 2 + /* credential,verifier: AUTH_NULL, length 0 */ \
		1511	1 + /* MIN tag is length with zero, only length */ \
		1512	3 + /* version, opcount, opcode */ \
		1513	XDR_QUADLEN(NFS4_MAX_SESSIONID_LEN) + \
		1514	/* seqid, slotID, slotID, cache */ \
		1515	4 ) * sizeof(__be32))
		1516
		1517	#define NFSD_MIN_RESP_HDR_SEQ_SZ ((\
		1518	2 + /* verifier: AUTH_NULL, length 0 */\
		1519	1 + /* status */ \
		1520	1 + /* MIN tag is length with zero, only length */ \
		1521	3 + /* opcount, opcode, opstatus*/ \
		1522	XDR_QUADLEN(NFS4_MAX_SESSIONID_LEN) + \
		1523	/* seqid, slotID, slotID, slotID, status */ \
		1524	5 ) * sizeof(__be32))
		1525
		1526	static __be32 check_forechannel_attrs(struct nfsd4_channel_attrs fchannel)
		1527	{
		1528	return fchannel.maxreq_sz < NFSD_MIN_REQ_HDR_SEQ_SZ
		1529	\|\| fchannel.maxresp_sz < NFSD_MIN_RESP_HDR_SEQ_SZ;
		1530	}
		1531
1509	__be32	1532	__be32
1510	nfsd4_create_session(struct svc_rqst *rqstp,	1533	nfsd4_create_session(struct svc_rqst *rqstp,
1511	struct nfsd4_compound_state *cstate,	1534	struct nfsd4_compound_state *cstate,
@@ -1574,6 +1597,10 @@ nfsd4_create_session(struct svc_rqst *rqstp,
1574	cr_ses->flags &= ~SESSION4_PERSIST;	1597	cr_ses->flags &= ~SESSION4_PERSIST;
1575	cr_ses->flags &= ~SESSION4_RDMA;	1598	cr_ses->flags &= ~SESSION4_RDMA;
1576		1599
		1600	status = nfserr_toosmall;
		1601	if (check_forechannel_attrs(cr_ses->fore_channel))
		1602	goto out;
		1603
1577	status = nfserr_jukebox;	1604	status = nfserr_jukebox;
1578	new = alloc_init_session(rqstp, conf, cr_ses);	1605	new = alloc_init_session(rqstp, conf, cr_ses);
1579	if (!new)	1606	if (!new)