FreeBSD Mail Archives

Date:      Thu, 26 Mar 2026 01:34:10 +0000
From:      Philip Paeps <philip@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc:        Mark Johnston <markj@FreeBSD.org>
Subject:   git: c4f53a1adbd4 - releng/13.5 - rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
Message-ID:  <69c48d12.1c7b0.4f914cd2@gitrepo.freebsd.org>

index | next in thread | raw e-mail


The branch releng/13.5 has been updated by philip:

URL: https://cgit.FreeBSD.org/src/commit/?id=c4f53a1adbd4d5209b45043d25e590f0c27b5314

commit c4f53a1adbd4d5209b45043d25e590f0c27b5314
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-03-24 02:12:42 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2026-03-26 01:30:59 +0000

    rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
    
    svc_rpc_gss_validate() copies the input message into a stack buffer
    without ensuring that the buffer is large enough.  Sure enough,
    oa_length may be up to 400 bytes, much larger than the provided space.
    This enables an unauthenticated user to trigger an overflow and obtain
    remote code execution.
    
    Add a runtime check which verifies that the copy won't overflow.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:08.rpcsec_gss
    Security:       CVE-2026-4747
    Reported by:    Nicholas Carlini <npc@anthropic.com>
    Reviewed by:    rmacklem
    Fixes:          a9148abd9da5d
---
 lib/librpcsec_gss/svc_rpcsec_gss.c  |  9 ++++++++-
 sys/rpc/rpcsec_gss/svc_rpcsec_gss.c | 10 +++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c
index e9d39a813f86..73b92371e6d0 100644
--- a/lib/librpcsec_gss/svc_rpcsec_gss.c
+++ b/lib/librpcsec_gss/svc_rpcsec_gss.c
@@ -758,6 +758,14 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
 	
 	memset(rpchdr, 0, sizeof(rpchdr));
 
+	oa = &msg->rm_call.cb_cred;
+
+	if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {
+		log_debug("auth length %d exceeds maximum", oa->oa_length);
+		client->cl_state = CLIENT_STALE;
+		return (FALSE);
+	}
+
 	/* Reconstruct RPC header for signing (from xdr_callmsg). */
 	buf = rpchdr;
 	IXDR_PUT_LONG(buf, msg->rm_xid);
@@ -766,7 +774,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
-	oa = &msg->rm_call.cb_cred;
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
 	if (oa->oa_length) {
diff --git a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
index 93a41dc045cc..8e98a87b36be 100644
--- a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
+++ b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
@@ -1079,6 +1079,15 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
 	
 	memset(rpchdr, 0, sizeof(rpchdr));
 
+	oa = &msg->rm_call.cb_cred;
+
+	if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {
+		rpc_gss_log_debug("auth length %d exceeds maximum",
+		    oa->oa_length);
+		client->cl_state = CLIENT_STALE;
+		return (FALSE);
+	}
+
 	/* Reconstruct RPC header for signing (from xdr_callmsg). */
 	buf = rpchdr;
 	IXDR_PUT_LONG(buf, msg->rm_xid);
@@ -1087,7 +1096,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
-	oa = &msg->rm_call.cb_cred;
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
 	if (oa->oa_length) {

home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69c48d12.1c7b0.4f914cd2>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation