summaryrefslogtreecommitdiffstats
path: root/xlators/nfs/server/src
diff options
context:
space:
mode:
authorAnand Avati <avati@redhat.com>2013-08-26 21:58:26 -0700
committerAnand Avati <avati@redhat.com>2013-09-09 17:16:41 -0700
commit6e9dbdd6e16cca1e32e7c7e00b2618a837f1c18a (patch)
treeadbcb69fb756f924e3f61680bcab40040cfb22af /xlators/nfs/server/src
parent7ad7c0171cb8341ac8293c6b01313e2eac8bab07 (diff)
nfs: prevent NFS server crash when upgrading from 3.2.x server
After an upgrade the NFS3 filehandle size changed (became smaller), but when doing a live ugprade the client would send the old handle (expect ESTALE and do fresh lookup). But when reading the old handle we were reading it into a structure which was limited to the size of the new handle, while we should have been reading into a buffer which is as big as the NFS3 spec permits the handle size to be. The actor functions declare the structure on the stack. So the overflow is resulting in a stack corruption. Change-Id: Ie930875ac9db46b43d1cb8ad1e6d89cdaeded7ca BUG: 1002385 Signed-off-by: Anand Avati <avati@redhat.com> Reviewed-on: http://review.gluster.org/5730 Reviewed-by: Rajesh Joseph <rjoseph@redhat.com> Reviewed-by: Niels de Vos <ndevos@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-on: http://review.gluster.org/5804 Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Diffstat (limited to 'xlators/nfs/server/src')
-rw-r--r--xlators/nfs/server/src/nfs3-fh.h5
1 files changed, 5 insertions, 0 deletions
diff --git a/xlators/nfs/server/src/nfs3-fh.h b/xlators/nfs/server/src/nfs3-fh.h
index a9002afe724..be226f45acb 100644
--- a/xlators/nfs/server/src/nfs3-fh.h
+++ b/xlators/nfs/server/src/nfs3-fh.h
@@ -63,6 +63,11 @@ struct nfs3_fh {
/* File/dir gfid. */
uuid_t gfid;
+ /* This structure must be exactly NFS3_FHSIZE (64) bytes long.
+ Having the structure shorter results in buffer overflows
+ during XDR decoding.
+ */
+ unsigned char padding[NFS3_FHSIZE - GF_NFSFH_STATIC_SIZE];
} __attribute__((__packed__));
#define GF_NFS3FH_STATIC_INITIALIZER {{0},}