[PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().

[PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().

[Jesper Juhl]

strrchr() can return NULL if nothing is found. If this happens we'll 
dereference a NULL pointer in 
fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().

I tried to find some other code that guarantees that this can never 
happen but I was unsuccessful. So, unless someone else can point to some 
code that ensures this can never be a problem, I believe this patch is 
needed.

While I was changing this code I also noticed that all the dprintk() 
statements, except one, start with "%s:". The one missing the ":" I added 
it to.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 nfs4filelayoutdev.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

  only compile tested.

diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
index 51fe64a..5a85b8f 100644
--- a/fs/nfs/nfs4filelayoutdev.c
+++ b/fs/nfs/nfs4filelayoutdev.c
@@ -214,7 +214,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
 
 	/* ipv6 length plus port is legal */
 	if (rlen > INET6_ADDRSTRLEN + 8) {
-		dprintk("%s Invalid address, length %d\n", __func__,
+		dprintk("%s: Invalid address, length %d\n", __func__,
 			rlen);
 		goto out_err;
 	}
@@ -225,6 +225,11 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
 	/* replace the port dots with dashes for the in4_pton() delimiter*/
 	for (i = 0; i < 2; i++) {
 		char *res = strrchr(buf, '.');
+		if (!res) {
+			dprintk("%s: Failed finding expected dots in port\n",
+				__func__);
+			goto out_free;
+		}
 		*res = '-';
 	}
 

-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.

Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().

[Mi Jinlong]

Jesper Juhl:
> strrchr() can return NULL if nothing is found. If this happens we'll 
> dereference a NULL pointer in 
> fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().
> 
> I tried to find some other code that guarantees that this can never 
> happen but I was unsuccessful. So, unless someone else can point to some 
> code that ensures this can never be a problem, I believe this patch is 
> needed.
> 
> While I was changing this code I also noticed that all the dprintk() 
> statements, except one, start with "%s:". The one missing the ":" I added 
> it to.

  Maybe another one also should be changed at decode_and_add_ds() at line 243:

   243  printk("%s Decoded address and port %s\n", __func__, buf);

-- 
----
thanks
Mi Jinlong

> 
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
>  nfs4filelayoutdev.c |    7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
>   only compile tested.
> 
> diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
> index 51fe64a..5a85b8f 100644
> --- a/fs/nfs/nfs4filelayoutdev.c
> +++ b/fs/nfs/nfs4filelayoutdev.c
> @@ -214,7 +214,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
>  
>  	/* ipv6 length plus port is legal */
>  	if (rlen > INET6_ADDRSTRLEN + 8) {
> -		dprintk("%s Invalid address, length %d\n", __func__,
> +		dprintk("%s: Invalid address, length %d\n", __func__,
>  			rlen);
>  		goto out_err;
>  	}
> @@ -225,6 +225,11 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
>  	/* replace the port dots with dashes for the in4_pton() delimiter*/
>  	for (i = 0; i < 2; i++) {
>  		char *res = strrchr(buf, '.');
> +		if (!res) {
> +			dprintk("%s: Failed finding expected dots in port\n",
> +				__func__);
> +			goto out_free;
> +		}
>  		*res = '-';
>  	}
>  
> 

Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().

[Fred Isaman]

On Sun, Jan 16, 2011 at 3:50 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> strrchr() can return NULL if nothing is found. If this happens we'll
> dereference a NULL pointer in
> fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().
>
> I tried to find some other code that guarantees that this can never
> happen but I was unsuccessful. So, unless someone else can point to some
> code that ensures this can never be a problem, I believe this patch is
> needed.
>

The only guarantee is the assumption that the server isn't sending
garbage.  As such, this patch looks good to me.

Fred

> While I was changing this code I also noticed that all the dprintk()
> statements, except one, start with "%s:". The one missing the ":" I added
> it to.
>
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
>  nfs4filelayoutdev.c |    7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
>  only compile tested.
>
> diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
> index 51fe64a..5a85b8f 100644
> --- a/fs/nfs/nfs4filelayoutdev.c
> +++ b/fs/nfs/nfs4filelayoutdev.c
> @@ -214,7 +214,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
>
>        /* ipv6 length plus port is legal */
>        if (rlen > INET6_ADDRSTRLEN + 8) {
> -               dprintk("%s Invalid address, length %d\n", __func__,
> +               dprintk("%s: Invalid address, length %d\n", __func__,
>                        rlen);
>                goto out_err;
>        }
> @@ -225,6 +225,11 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
>        /* replace the port dots with dashes for the in4_pton() delimiter*/
>        for (i = 0; i < 2; i++) {
>                char *res = strrchr(buf, '.');
> +               if (!res) {
> +                       dprintk("%s: Failed finding expected dots in port\n",
> +                               __func__);
> +                       goto out_free;
> +               }
>                *res = '-';
>        }
>
>
> --
> Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().

[Jesper Juhl]

On Mon, 17 Jan 2011, Mi Jinlong wrote:

> 
> 
> Jesper Juhl:
> > strrchr() can return NULL if nothing is found. If this happens we'll 
> > dereference a NULL pointer in 
> > fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().
> > 
> > I tried to find some other code that guarantees that this can never 
> > happen but I was unsuccessful. So, unless someone else can point to some 
> > code that ensures this can never be a problem, I believe this patch is 
> > needed.
> > 
> > While I was changing this code I also noticed that all the dprintk() 
> > statements, except one, start with "%s:". The one missing the ":" I added 
> > it to.
> 
>   Maybe another one also should be changed at decode_and_add_ds() at line 243:
> 
>    243  printk("%s Decoded address and port %s\n", __func__, buf);
> 
Missed that one. Thanks. 

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 nfs4filelayoutdev.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
index 51fe64a..f5c9b12 100644
--- a/fs/nfs/nfs4filelayoutdev.c
+++ b/fs/nfs/nfs4filelayoutdev.c
@@ -214,7 +214,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
 
 	/* ipv6 length plus port is legal */
 	if (rlen > INET6_ADDRSTRLEN + 8) {
-		dprintk("%s Invalid address, length %d\n", __func__,
+		dprintk("%s: Invalid address, length %d\n", __func__,
 			rlen);
 		goto out_err;
 	}
@@ -225,6 +225,11 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
 	/* replace the port dots with dashes for the in4_pton() delimiter*/
 	for (i = 0; i < 2; i++) {
 		char *res = strrchr(buf, '.');
+		if (!res) {
+			dprintk("%s: Failed finding expected dots in port\n",
+				__func__);
+			goto out_free;
+		}
 		*res = '-';
 	}
 
@@ -240,7 +245,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
 	port = htons((tmp[0] << 8) | (tmp[1]));
 
 	ds = nfs4_pnfs_ds_add(inode, ip_addr, port);
-	dprintk("%s Decoded address and port %s\n", __func__, buf);
+	dprintk("%s: Decoded address and port %s\n", __func__, buf);
 out_free:
 	kfree(buf);
 out_err:
 

-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.

Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().

[Jesper Juhl]

On Mon, 17 Jan 2011, Fred Isaman wrote:

> On Sun, Jan 16, 2011 at 3:50 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> > strrchr() can return NULL if nothing is found. If this happens we'll
> > dereference a NULL pointer in
> > fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().
> >
> > I tried to find some other code that guarantees that this can never
> > happen but I was unsuccessful. So, unless someone else can point to some
> > code that ensures this can never be a problem, I believe this patch is
> > needed.
> >
> 
> The only guarantee is the assumption that the server isn't sending
> garbage.  As such, this patch looks good to me.
> 

Thanks. Can I add your Acked-by: if/when I resend the patch?

-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.

Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().

[Fred Isaman]

On Mon, Jan 17, 2011 at 1:42 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> On Mon, 17 Jan 2011, Fred Isaman wrote:
>
>> On Sun, Jan 16, 2011 at 3:50 PM, Jesper Juhl <jj@chaosbits.net> wrote:
>> > strrchr() can return NULL if nothing is found. If this happens we'll
>> > dereference a NULL pointer in
>> > fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().
>> >
>> > I tried to find some other code that guarantees that this can never
>> > happen but I was unsuccessful. So, unless someone else can point to some
>> > code that ensures this can never be a problem, I believe this patch is
>> > needed.
>> >
>>
>> The only guarantee is the assumption that the server isn't sending
>> garbage.  As such, this patch looks good to me.
>>
>
> Thanks. Can I add your Acked-by: if/when I resend the patch?
>

Yes.

Fred

> --
> Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [PATCH] NFS4: Avoid potential NULL pointer dereference in decode_and_add_ds().

[Andy Adamson]

On Jan 17, 2011, at 1:41 PM, Jesper Juhl wrote:

> On Mon, 17 Jan 2011, Mi Jinlong wrote:
> 
>> 
>> 
>> Jesper Juhl:
>>> strrchr() can return NULL if nothing is found. If this happens we'll 
>>> dereference a NULL pointer in 
>>> fs/nfs/nfs4filelayoutdev.c::decode_and_add_ds().



Yes - good catch.

-->Andy

>>> 
>>> I tried to find some other code that guarantees that this can never 
>>> happen but I was unsuccessful. So, unless someone else can point to some 
>>> code that ensures this can never be a problem, I believe this patch is 
>>> needed.
>>> 
>>> While I was changing this code I also noticed that all the dprintk() 
>>> statements, except one, start with "%s:". The one missing the ":" I added 
>>> it to.
>> 
>>  Maybe another one also should be changed at decode_and_add_ds() at line 243:
>> 
>>   243  printk("%s Decoded address and port %s\n", __func__, buf);
>> 
> Missed that one. Thanks. 
> 
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
> nfs4filelayoutdev.c |    9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
> index 51fe64a..f5c9b12 100644
> --- a/fs/nfs/nfs4filelayoutdev.c
> +++ b/fs/nfs/nfs4filelayoutdev.c
> @@ -214,7 +214,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
> 
> 	/* ipv6 length plus port is legal */
> 	if (rlen > INET6_ADDRSTRLEN + 8) {
> -		dprintk("%s Invalid address, length %d\n", __func__,
> +		dprintk("%s: Invalid address, length %d\n", __func__,
> 			rlen);
> 		goto out_err;
> 	}
> @@ -225,6 +225,11 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
> 	/* replace the port dots with dashes for the in4_pton() delimiter*/
> 	for (i = 0; i < 2; i++) {
> 		char *res = strrchr(buf, '.');
> +		if (!res) {
> +			dprintk("%s: Failed finding expected dots in port\n",
> +				__func__);
> +			goto out_free;
> +		}
> 		*res = '-';
> 	}
> 
> @@ -240,7 +245,7 @@ decode_and_add_ds(__be32 **pp, struct inode *inode)
> 	port = htons((tmp[0] << 8) | (tmp[1]));
> 
> 	ds = nfs4_pnfs_ds_add(inode, ip_addr, port);
> -	dprintk("%s Decoded address and port %s\n", __func__, buf);
> +	dprintk("%s: Decoded address and port %s\n", __func__, buf);
> out_free:
> 	kfree(buf);
> out_err:
> 
> 
> -- 
> Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html