nfsd4: zero op arguments beyond the 8th compound op
The first 8 ops of the compound are zeroed since they're a part of the
argument that's zeroed by the
memset(rqstp->rq_argp, 0, procp->pc_argsize);
in svc_process_common(). But we handle larger compounds by allocating
the memory on the fly in nfsd4_decode_compound(). Other than code
recently fixed by 01529e3f81
"NFSD: Fix memory leak in encoding denied
lock", I don't know of any examples of code depending on this
initialization. But it definitely seems possible, and I'd rather be
safe.
Compounds this long are unusual so I'm much more worried about failure
in this poorly tested cases than about an insignificant performance hit.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
This commit is contained in:
parent
ae4b884fc6
commit
5d6031ca74
|
@ -1635,7 +1635,7 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp)
|
||||||
goto xdr_error;
|
goto xdr_error;
|
||||||
|
|
||||||
if (argp->opcnt > ARRAY_SIZE(argp->iops)) {
|
if (argp->opcnt > ARRAY_SIZE(argp->iops)) {
|
||||||
argp->ops = kmalloc(argp->opcnt * sizeof(*argp->ops), GFP_KERNEL);
|
argp->ops = kzalloc(argp->opcnt * sizeof(*argp->ops), GFP_KERNEL);
|
||||||
if (!argp->ops) {
|
if (!argp->ops) {
|
||||||
argp->ops = argp->iops;
|
argp->ops = argp->iops;
|
||||||
dprintk("nfsd: couldn't allocate room for COMPOUND\n");
|
dprintk("nfsd: couldn't allocate room for COMPOUND\n");
|
||||||
|
|
Loading…
Reference in New Issue