summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2015-07-04 22:17:39 +0200
committerAl Viro <viro@zeniv.linux.org.uk>2015-07-04 22:17:39 +0200
commit0f1db7dee200127da4c07928189748918c312031 (patch)
treebd2abe8f6e2929335e9326afa56f06102386c224
parentp9_client_write(): avoid double p9_free_req() (diff)
downloadlinux-0f1db7dee200127da4c07928189748918c312031.tar.xz
linux-0f1db7dee200127da4c07928189748918c312031.zip
9p: cope with bogus responses from server in p9_client_{read,write}
if server claims to have written/read more than we'd told it to, warn and cap the claimed byte count to avoid advancing more than we are ready to.
-rw-r--r--net/9p/client.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/net/9p/client.c b/net/9p/client.c
index 81925b923318..498454b3c06c 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -1583,6 +1583,10 @@ p9_client_read(struct p9_fid *fid, u64 offset, struct iov_iter *to, int *err)
p9_free_req(clnt, req);
break;
}
+ if (rsize < count) {
+ pr_err("bogus RREAD count (%d > %d)\n", count, rsize);
+ count = rsize;
+ }
p9_debug(P9_DEBUG_9P, "<<< RREAD count %d\n", count);
if (!count) {
@@ -1650,6 +1654,10 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err)
p9_free_req(clnt, req);
break;
}
+ if (rsize < count) {
+ pr_err("bogus RWRITE count (%d > %d)\n", count, rsize);
+ count = rsize;
+ }
p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", count);