Hello,
- When sending a COMPOUND request with the tag "create_session" (14 bytes), the reply is expected to include XDR padding to a 4-byte boundary, i.e. "create_session" + "\x00\x00".
- On 5.14.0-611.45.1.el9_7.x86_64, the padding bytes are sometimes observed to be non-zero (e.g. "\xff\xff").
- From inspection of recent upstream code, nfs4svc_encode_compoundres() also appears not to explicitly zero-fill the padding.
- Is this understanding correct?
- If so, is this a known issue or something that should be fixed?
-
In nfsd4_proc_compound(), space for taglen + tag + opcnt is reserved via: xdr_reserve_space(resp->xdr, XDR_UNIT * 2 + args->taglen);
-
In nfs4svc_encode_compoundres(), only the tag payload is copied: memcpy(p, resp->tag, resp->taglen);
-
The pointer is then advanced using: p += XDR_QUADLEN(resp->taglen);
-
but the padding bytes do not appear to be explicitly zeroed.
-
As a result, it seems possible that uninitialized data remains in the padding region, which may explain why non-zero values such as \xff\xff appear on the wire.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/nfsd/nfs4proc.c#n3055
/*
* COMPOUND call.
*/
static __be32
nfsd4_proc_compound(struct svc_rqst *rqstp)
{
// snip
/* reserve space for: taglen, tag, and opcnt */
xdr_reserve_space(resp->xdr, XDR_UNIT * 2 + args->taglen);https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/nfsd/nfs4xdr.c#n6389
bool
nfs4svc_encode_compoundres(struct svc_rqst *rqstp, struct xdr_stream *xdr)
{
// snip
memcpy(p, resp->tag, resp->taglen);
p += XDR_QUADLEN(resp->taglen);- A packet capture excerpt (attached separately via gist) shows: above
- The issue is not deterministic: when repeatedly sending CREATE_SESSION, it was observed roughly once every ~5 attempts.
- This was discovered while implementing an NFSv4 client in Rust.