From 3a3441ef7665b5f55a9e2de63ea07173bf0f0db0 Mon Sep 17 00:00:00 2001
From: Anand Avati <avati@redhat.com>
Date: Mon, 26 Aug 2013 21:58:26 -0700
Subject: nfs: prevent NFS server crash when upgrading from 3.2.x server

After an upgrade the NFS3 filehandle size changed (became smaller),
but when doing a live ugprade the client would send the old handle
(expect ESTALE and do fresh lookup). But when reading the old
handle we were reading it into a structure which was limited to the
size of the new handle, while we should have been reading into a
buffer which is as big as the NFS3 spec permits the handle size to
be. The actor functions declare the structure on the stack. So the
overflow is resulting in a stack corruption.

Change-Id: Ie930875ac9db46b43d1cb8ad1e6d89cdaeded7ca
BUG: 1002385
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-on: http://review.gluster.org/5730
Reviewed-by: Rajesh Joseph <rjoseph@redhat.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
---
 xlators/nfs/server/src/nfs3-fh.h | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'xlators/nfs')

diff --git a/xlators/nfs/server/src/nfs3-fh.h b/xlators/nfs/server/src/nfs3-fh.h
index 23957d977..c22f913a3 100644
--- a/xlators/nfs/server/src/nfs3-fh.h
+++ b/xlators/nfs/server/src/nfs3-fh.h
@@ -65,6 +65,11 @@ struct nfs3_fh {
 
         /* File/dir gfid. */
         uuid_t                  gfid;
+        /* This structure must be exactly NFS3_FHSIZE (64) bytes long.
+           Having the structure shorter results in buffer overflows
+           during XDR decoding.
+        */
+        unsigned char padding[NFS3_FHSIZE - GF_NFSFH_STATIC_SIZE];
 } __attribute__((__packed__));
 
 #define GF_NFS3FH_STATIC_INITIALIZER    {{0},}
-- 
cgit