Date: Wed, 01 Dec 2021 00:47:04 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 260111] NFS v4 server crash due to ACL handling Message-ID: <bug-260111-227-BEB9MK06EK@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-260111-227@https.bugs.freebsd.org/bugzilla/> References: <bug-260111-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260111 Rick Macklem <rmacklem@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open Assignee|bugs@FreeBSD.org |rmacklem@FreeBSD.org --- Comment #1 from Rick Macklem <rmacklem@FreeBSD.org> --- Created attachment 229822 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D229822&action= =3Dedit Sanity check the acecnt and who size, plus fix a nfsv4_dissectacl() error c= ase This patch should fix the crash, plus a couple of other things. It... - Adds an if (error) check for the nfsrv_dissectacl() call that didn't have it to avoid the nfsm_advance() call at the end of nfsv4_loadattr(), as noted by Robert. - Adds a sanity check for the acecnt. (Checking for negative was the minimal check needed, but I also included an upper bound.) (As an aside, I should probably have made most of these count variables uint32_t instead of int, but that was 20years ago.) - Add a sanity check on the size of the "who" string, since a data buffer for it is malloc()d. Maybe Robert can check to see this patch fixes the crash for him? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260111-227-BEB9MK06EK>