From owner-svn-src-releng@freebsd.org  Fri Nov 23 21:08:12 2018
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE1A41103F1D;
 Fri, 23 Nov 2018 21:08:12 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 516BB75190;
 Fri, 23 Nov 2018 21:08:12 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2DEC123F8F;
 Fri, 23 Nov 2018 21:08:12 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wANL8C3K070321;
 Fri, 23 Nov 2018 21:08:12 GMT (envelope-from emaste@FreeBSD.org)
Received: (from emaste@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id wANL8BhU070318;
 Fri, 23 Nov 2018 21:08:11 GMT (envelope-from emaste@FreeBSD.org)
Message-Id: <201811232108.wANL8BhU070318@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: emaste set sender to
 emaste@FreeBSD.org using -f
From: Ed Maste <emaste@FreeBSD.org>
Date: Fri, 23 Nov 2018 21:08:11 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r340855 - in releng/12.0/sys/fs: nfs nfsserver
X-SVN-Group: releng
X-SVN-Commit-Author: emaste
X-SVN-Commit-Paths: in releng/12.0/sys/fs: nfs nfsserver
X-SVN-Commit-Revision: 340855
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 516BB75190
X-Spamd-Result: default: False [1.52 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_SPAM_SHORT(0.37)[0.368,0];
 NEURAL_SPAM_MEDIUM(0.73)[0.730,0];
 NEURAL_SPAM_LONG(0.42)[0.420,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 21:08:13 -0000

Author: emaste
Date: Fri Nov 23 21:08:11 2018
New Revision: 340855
URL: https://svnweb.freebsd.org/changeset/base/340855

Log:
  MFS12 r340849, r340850, r340851:
  
  MFC r340661 (rmacklem):
  
  r304026 added code that started statistics gathering for an operation
  before the operation number (the variable called "op") was sanity checked.
  This patch moves the code down to below the range sanity check for "op".
  
  MFC r340662 (rmacklem):
  
  nfsm_advance() would panic() when the offs argument was negative.
  The code assumed that this would indicate a corrupted mbuf chain, but
  it could simply be caused by bogus RPC message data.
  This patch replaces the panic() with a printf() plus error return.
  
  MFC r340663 (rmacklem):
  
  Improve sanity checking for the dircount hint argument to
  NFSv3's ReaddirPlus and NFSv4's Readdir operations. The code
  checked for a zero argument, but did not check for a very large value.
  This patch clips dircount at the server's maximum data size.
  
  Approved by:	re (kib)

Modified:
  releng/12.0/sys/fs/nfs/nfs_commonsubs.c
  releng/12.0/sys/fs/nfsserver/nfs_nfsdport.c
  releng/12.0/sys/fs/nfsserver/nfs_nfsdsocket.c
Directory Properties:
  releng/12.0/   (props changed)

Modified: releng/12.0/sys/fs/nfs/nfs_commonsubs.c
==============================================================================
--- releng/12.0/sys/fs/nfs/nfs_commonsubs.c	Fri Nov 23 20:41:54 2018	(r340854)
+++ releng/12.0/sys/fs/nfs/nfs_commonsubs.c	Fri Nov 23 21:08:11 2018	(r340855)
@@ -725,10 +725,14 @@ nfsm_advance(struct nfsrv_descript *nd, int offs, int 
 	if (offs == 0)
 		goto out;
 	/*
-	 * A negative offs should be considered a serious problem.
+	 * A negative offs might indicate a corrupted mbuf chain and,
+	 * as such, a printf is logged.
 	 */
-	if (offs < 0)
-		panic("nfsrv_advance");
+	if (offs < 0) {
+		printf("nfsrv_advance: negative offs\n");
+		error = EBADRPC;
+		goto out;
+	}
 
 	/*
 	 * If left == -1, calculate it here.

Modified: releng/12.0/sys/fs/nfsserver/nfs_nfsdport.c
==============================================================================
--- releng/12.0/sys/fs/nfsserver/nfs_nfsdport.c	Fri Nov 23 20:41:54 2018	(r340854)
+++ releng/12.0/sys/fs/nfsserver/nfs_nfsdport.c	Fri Nov 23 21:08:11 2018	(r340855)
@@ -2107,9 +2107,15 @@ nfsrvd_readdirplus(struct nfsrv_descript *nd, int isdg
 	 * cookie) should be in the reply. At least one client "hints" 0,
 	 * so I set it to cnt for that case. I also round it up to the
 	 * next multiple of DIRBLKSIZ.
+	 * Since the size of a Readdirplus directory entry reply will always
+	 * be greater than a directory entry returned by VOP_READDIR(), it
+	 * does not make sense to read more than NFS_SRVMAXDATA() via
+	 * VOP_READDIR().
 	 */
 	if (siz <= 0)
 		siz = cnt;
+	else if (siz > NFS_SRVMAXDATA(nd))
+		siz = NFS_SRVMAXDATA(nd);
 	siz = ((siz + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1));
 
 	if (nd->nd_flag & ND_NFSV4) {

Modified: releng/12.0/sys/fs/nfsserver/nfs_nfsdsocket.c
==============================================================================
--- releng/12.0/sys/fs/nfsserver/nfs_nfsdsocket.c	Fri Nov 23 20:41:54 2018	(r340854)
+++ releng/12.0/sys/fs/nfsserver/nfs_nfsdsocket.c	Fri Nov 23 21:08:11 2018	(r340855)
@@ -766,11 +766,6 @@ nfsrvd_compound(struct nfsrv_descript *nd, int isdgram
 		*repp = *tl;
 		op = fxdr_unsigned(int, *tl);
 		NFSD_DEBUG(4, "op=%d\n", op);
-
-		binuptime(&start_time);
-		nfsrvd_statstart(op, &start_time);
-		statsinprog = 1;
-
 		if (op < NFSV4OP_ACCESS ||
 		    (op >= NFSV4OP_NOPS && (nd->nd_flag & ND_NFSV41) == 0) ||
 		    (op >= NFSV41_NOPS && (nd->nd_flag & ND_NFSV41) != 0)) {
@@ -782,6 +777,11 @@ nfsrvd_compound(struct nfsrv_descript *nd, int isdgram
 		} else {
 			repp++;
 		}
+
+		binuptime(&start_time);
+		nfsrvd_statstart(op, &start_time);
+		statsinprog = 1;
+
 		if (i == 0)
 			op0 = op;
 		if (i == numops - 1)