[Devel] [PATCH RHEL7 COMMIT] fs/fuse kio_pcs: missed *msg_size setting in rpc_get_hdr()
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Aug 24 16:37:18 MSK 2018
The commit is pushed to "branch-rh7-3.10.0-862.11.6.vz7.71.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-862.11.6.vz7.71.4
------>
commit b4d16064e5950de34c8dd7f008cf4a93744d5e85
Author: Pavel Butsykin <pbutsykin at virtuozzo.com>
Date: Fri Aug 24 16:37:18 2018 +0300
fs/fuse kio_pcs: missed *msg_size setting in rpc_get_hdr()
In the case when size of the message exceeds PAGE_SIZE, we should read this
message from the socket and ignore it. But setting *msg_size was missed,
so msg_size variable remained uninitialized and any trash can be written to
sio->current_msg_size. This can lead to read huge amount of data from the
socket and result in a hang.
https://pmc.acronis.com/browse/VSTOR-13602
Signed-off-by: Pavel Butsykin <pbutsykin at virtuozzo.com>
Acked-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
fs/fuse/kio/pcs/pcs_rpc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/fuse/kio/pcs/pcs_rpc.c b/fs/fuse/kio/pcs/pcs_rpc.c
index a26624785fa9..5cba5660850c 100644
--- a/fs/fuse/kio/pcs/pcs_rpc.c
+++ b/fs/fuse/kio/pcs/pcs_rpc.c
@@ -529,6 +529,7 @@ struct pcs_msg *rpc_get_hdr(struct pcs_sockio * sio, u32 *msg_size)
if (h->len > PAGE_SIZE) {
FUSE_KLOG(cc_from_rpc(ep->eng)->fc, LOG_ERR, "Received too big msg %u\n", h->len);
+ *msg_size = h->len;
return PCS_TRASH_MSG;
}
More information about the Devel
mailing list