rpc: remove some BUG()s

It would be kinder to WARN() and recover in several spots here instead
of BUG()ing.

Also, it looks like the read_u32_from_xdr_buf() call could actually
fail, though it might require a broken (or malicious) client, so convert
that to just an error return.

Reported-by: Weston Andros Adamson <dros@monkey.org>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
This commit is contained in:
J. Bruce Fields 2017-10-24 14:58:11 -04:00
parent 0bad47cada
commit 1754eb2b27

View File

@ -855,11 +855,13 @@ unwrap_integ_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct g
return stat; return stat;
if (integ_len > buf->len) if (integ_len > buf->len)
return stat; return stat;
if (xdr_buf_subsegment(buf, &integ_buf, 0, integ_len)) if (xdr_buf_subsegment(buf, &integ_buf, 0, integ_len)) {
BUG(); WARN_ON_ONCE(1);
return stat;
}
/* copy out mic... */ /* copy out mic... */
if (read_u32_from_xdr_buf(buf, integ_len, &mic.len)) if (read_u32_from_xdr_buf(buf, integ_len, &mic.len))
BUG(); return stat;
if (mic.len > RPC_MAX_AUTH_SIZE) if (mic.len > RPC_MAX_AUTH_SIZE)
return stat; return stat;
mic.data = kmalloc(mic.len, GFP_KERNEL); mic.data = kmalloc(mic.len, GFP_KERNEL);
@ -1611,8 +1613,10 @@ svcauth_gss_wrap_resp_integ(struct svc_rqst *rqstp)
BUG_ON(integ_len % 4); BUG_ON(integ_len % 4);
*p++ = htonl(integ_len); *p++ = htonl(integ_len);
*p++ = htonl(gc->gc_seq); *p++ = htonl(gc->gc_seq);
if (xdr_buf_subsegment(resbuf, &integ_buf, integ_offset, integ_len)) if (xdr_buf_subsegment(resbuf, &integ_buf, integ_offset, integ_len)) {
BUG(); WARN_ON_ONCE(1);
goto out_err;
}
if (resbuf->tail[0].iov_base == NULL) { if (resbuf->tail[0].iov_base == NULL) {
if (resbuf->head[0].iov_len + RPC_MAX_AUTH_SIZE > PAGE_SIZE) if (resbuf->head[0].iov_len + RPC_MAX_AUTH_SIZE > PAGE_SIZE)
goto out_err; goto out_err;