On 2022/11/12 13:01, yangerkun wrote:

Hi, Chuck Lever,

CVE-2022-43945(https://nvd.nist.gov/vuln/detail/CVE-2022-43945) describe 
that a normal request header ended with garbage data can trigger the 
nfsd overflow since nfsd share the request and response with the same 
pages array.

It seems that the 
patchset(https://lore.kernel.org/linux-nfs/166204973526.1435.6068003336048840051.stgit@manet.1015granger.net/T/#t (local)) 
has solved NFSv2/NFSv3, but leave NFSv4 still vulnerably?

Another question, for stable branch like lts-5.10, since NFSv2/NFSv3 did 
not switch to xdr_stream, the nfs_request_too_big in nfsd_dispatch will 
reject the request like READ/READDIR with too large request. So it seems 
branch without that "switch" seems ok for NFSv2/NFSv3, but NFSv3 still 
vulnerably. right?

Looking forward to your reply!

Sorry, notice that 76ce4dcec0dc"NFSD: Cap rsize_bop result based on send 
buffer size") fix same problem for NFSv4.

So, for the stable branch like lts-5.10 which NFSv2/NFSv3 do not switch 
to xdr_stream, it seems we only need 76ce4dcec0dc"NFSD: Cap rsize_bop 
result based on send buffer size"). Right?

Thanks,
Erkun Yang
.