commit 540d9864e1c5f8d3ca2ecc919e7d8a47e713ec3f
author Trond Myklebust <trond.myklebust@primarydata.com> Tue Aug 25 11:16:13 2015 -0400
committer Trond Myklebust <trond.myklebust@primarydata.com> Tue Aug 25 14:40:10 2015 -0400
tree 5b542b75b920672a01d8b289dbee0d071dc83810
parent 82714bd1424a88e4bb43813c8a78fbe8f6c5feab

NFSv4.1/pnfs: Add sanity check for the layout range returned by the server

Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>

fs/nfs/pnfs.c

diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 3530bb7..68cc4b1 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1561,6 +1561,26 @@
 }
 EXPORT_SYMBOL_GPL(pnfs_update_layout);
 
+static bool
+pnfs_sanity_check_layout_range(struct pnfs_layout_range *range)
+{
+	switch (range->iomode) {
+	case IOMODE_READ:
+	case IOMODE_RW:
+		break;
+	default:
+		return false;
+	}
+	if (range->offset == NFS4_MAX_UINT64)
+		return false;
+	if (range->length == 0)
+		return false;
+	if (range->length != NFS4_MAX_UINT64 &&
+	    range->length > NFS4_MAX_UINT64 - range->offset)
+		return false;
+	return true;
+}
+
 struct pnfs_layout_segment *
 pnfs_layout_process(struct nfs4_layoutget *lgp)
 {
@@ -1569,7 +1589,10 @@
 	struct pnfs_layout_segment *lseg;
 	struct inode *ino = lo->plh_inode;
 	LIST_HEAD(free_me);
-	int status = 0;
+	int status = -EINVAL;
+
+	if (!pnfs_sanity_check_layout_range(&res->range))
+		goto out;
 
 	/* Inject layout blob into I/O device driver */
 	lseg = NFS_SERVER(ino)->pnfs_curr_ld->alloc_lseg(lo, res, lgp->gfp_flags);