NFSv4: limit lease period in nfs4_set_lease_period()

In nfs4_set_lease_period(), the passed 32-bit lease period in seconds is multiplied by HZ -- that might overflow before being implicitly cast to *unsigned long* (32/64-bit type), while initializing the lease variable. Cap the lease period at MAX_LEASE_PERIOD (#define'd to 1 hour for now), before multipying to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> Suggested-by: Trond Myklebust <trondmy@kernel.org> Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
2026-04-18 06:44:00 -04:00 · 2025-12-08 23:15:04 +03:00
parent 3d57c44e91
commit e29a3e61ee
1 changed files with 9 additions and 1 deletions
--- a/fs/nfs/nfs4renewd.c
+++ b/fs/nfs/nfs4renewd.c
@@ -133,6 +133,8 @@ nfs4_kill_renewd(struct nfs_client *clp)
 	cancel_delayed_work_sync(&clp->cl_renewd);
 }

+#define MAX_LEASE_PERIOD (60 * 60)	/* 1 hour */
+
 /**
 * nfs4_set_lease_period - Sets the lease period on a nfs_client
 *
@@ -141,7 +143,13 @@ nfs4_kill_renewd(struct nfs_client *clp)
 */
 void nfs4_set_lease_period(struct nfs_client *clp, u32 period)
 {
-	unsigned long lease = period * HZ;
+	unsigned long lease;
+
+	/* Limit the lease period */
+	if (period < MAX_LEASE_PERIOD)
+		lease = period * HZ;
+	else
+		lease = MAX_LEASE_PERIOD * HZ;

 	spin_lock(&clp->cl_lock);
 	clp->cl_lease_time = lease;