6b3b697d65
svc_tcp_sendmsg() calls xdr_buf_to_bvec() with the second slot of rq_bvec as the start, but doesn't reduce the array length by one, which could lead to an array overrun. Also, rq_bvec is always rq_maxpages in length, which can be too short in some cases, since the TCP record marker consumes a slot. Fix both problems by adding a separate bvec array to the svc_sock that is specifically for sending. For TCP, make this array one slot longer than rq_maxpages, to account for the record marker. For UDP, only allocate as large an array as we need since it's limited to 64k of payload. Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: NeilBrown <neil@brown.name> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> |
||
|---|---|---|
| .. | ||
| xdrgen | ||
| addr.h | ||
| auth.h | ||
| auth_gss.h | ||
| bc_xprt.h | ||
| cache.h | ||
| clnt.h | ||
| debug.h | ||
| gss_api.h | ||
| gss_err.h | ||
| gss_krb5.h | ||
| metrics.h | ||
| msg_prot.h | ||
| rdma_rn.h | ||
| rpc_pipe_fs.h | ||
| rpc_rdma.h | ||
| rpc_rdma_cid.h | ||
| sched.h | ||
| stats.h | ||
| svc.h | ||
| svc_rdma.h | ||
| svc_rdma_pcl.h | ||
| svc_xprt.h | ||
| svcauth.h | ||
| svcauth_gss.h | ||
| svcsock.h | ||
| timer.h | ||
| types.h | ||
| xdr.h | ||
| xprt.h | ||
| xprtmultipath.h | ||
| xprtrdma.h | ||
| xprtsock.h | ||