[RHEL7,COMMIT] fs/fuse kio_pcs: missed *msg_size setting in rpc_get_hdr()

Submitted by Konstantin Khorenko on Aug. 24, 2018, 1:37 p.m.

Details

Message ID 201808241337.w7ODbICF020107@finist_ce7.work
State New
Series "fs/fuse kio_pcs: missed *msg_size setting in rpc_get_hdr()"
Headers show

Commit Message

Konstantin Khorenko Aug. 24, 2018, 1:37 p.m.
The commit is pushed to "branch-rh7-3.10.0-862.11.6.vz7.71.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-862.11.6.vz7.71.4
------>
commit b4d16064e5950de34c8dd7f008cf4a93744d5e85
Author: Pavel Butsykin <pbutsykin@virtuozzo.com>
Date:   Fri Aug 24 16:37:18 2018 +0300

    fs/fuse kio_pcs: missed *msg_size setting in rpc_get_hdr()
    
    In the case when size of the message exceeds PAGE_SIZE, we should read this
    message from the socket and ignore it. But setting *msg_size was missed,
    so msg_size variable remained uninitialized and any trash can be written to
    sio->current_msg_size. This can lead to read huge amount of data from the
    socket and result in a hang.
    
    https://pmc.acronis.com/browse/VSTOR-13602
    
    Signed-off-by: Pavel Butsykin <pbutsykin@virtuozzo.com>
    Acked-by: Kirill Tkhai <ktkhai@virtuozzo.com>
---
 fs/fuse/kio/pcs/pcs_rpc.c | 1 +
 1 file changed, 1 insertion(+)

Patch hide | download patch | download mbox

diff --git a/fs/fuse/kio/pcs/pcs_rpc.c b/fs/fuse/kio/pcs/pcs_rpc.c
index a26624785fa9..5cba5660850c 100644
--- a/fs/fuse/kio/pcs/pcs_rpc.c
+++ b/fs/fuse/kio/pcs/pcs_rpc.c
@@ -529,6 +529,7 @@  struct pcs_msg *rpc_get_hdr(struct pcs_sockio * sio, u32 *msg_size)
 
 	if (h->len > PAGE_SIZE) {
 		FUSE_KLOG(cc_from_rpc(ep->eng)->fc, LOG_ERR, "Received too big msg  %u\n", h->len);
+		*msg_size = h->len;
 		return PCS_TRASH_MSG;
 	}