From nobody Fri Dec 19 09:19:08 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dXhmr6y3hz6LBFf for ; Fri, 19 Dec 2025 09:19:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dXhmr3tfFz44TJ for ; Fri, 19 Dec 2025 09:19:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1766135948; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=q+Y8Xlv/IR6PbUy898BdY/9NElgXTQMLVnPaT42yvrU=; b=bEE+J9Rxf5qGpq0QUqgEXzYimpjWG3qmqGKbzwCrfhvpNEfPpDfv+30ni5z8MSVCqwmzrD tXFZh6VMzDaq6hk98JBwDg3+irgWcJos2LmjGfETcQ+vNquQDyEqbiBzEnTXEkcUi3tDvR yGjwSaeo1jaZ2e1OoL0U1TIS3AJ+accJbIoXO8xAp6ZrDRSoZVR2ny2femctCdO4kjN/FM gMouLQDvtk4BW8CV0I5Zgje6mtWzxID1VLHvbfp+2SIIDk2NT7rYhKf2BRzLShpgrbXRCD IOlW1Ga8Qv6RVtp3Dd2Scpf/L5RFvQJVKHZYEyBXsoJfg3Lu/Aevg+rWNB5rrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1766135948; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=q+Y8Xlv/IR6PbUy898BdY/9NElgXTQMLVnPaT42yvrU=; b=FcpHmRz7G4Pj5FjRbDhCIiYFyW3XD/b6k+Ea9iO0ild5+3iEONdLrOeQG4WKOlArDbUl86 kL16qE7ovciKOWYN4fbgY47ZAhwBo7QhDcp7VtspOCYfFPKWElsU0XElt6BzywGPlOJaHq 8AeoA9Qq4m4qw4siUvFcVEZnh3n8CFtDSFY8t+3NcG4YQPHBQEG2NeMzLmLpUyJJDdMqil ZBuecxa79EgqrTB5WojXwKS5eIEFXgxbKP2ItWfVNmIC6HRlAaJhFRvHp0IbmDn7PTiFrG 1ctdHNEZG9mGJ0NkqAdCvATLSbc002yuhMUUcyYxasjyhZQN53a0MJN/Yay0AQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1766135948; a=rsa-sha256; cv=none; b=TX6wvk1JqWflDL72yRguC6mlS7NVGD720l9cIJ895ztI5rOziXeRHxkzCLCA9rxF2HfWel 7TtYGCQ21NG4JOkOCOB5ygKscVPAsE9kiGb/tWjW5rtI13C8k/k28nZgJPmKBJ6Jnv8yB2 80f59cXLEh5zwUGrBzYpcbsXSxwOODGSwu12eB26SgOwSxssaRxPZ8wuutb1q3TiSRTz68 IbjwdrUfWkpk6JygdEpB2PNhq1Wrd8qERN9GcQfeTY8jSEh8rHmCo9H9rf5iwwBz6OkaPQ dRFdFmwkbI7K5Bnf4ciVPBb5t9RStR3FapbWScjd1queCCLRoSlbcJ2gCmrbew== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dXhmr3Qd3z1GNN for ; Fri, 19 Dec 2025 09:19:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3cdd8 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 19 Dec 2025 09:19:08 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: dab039c0e980 - stable/14 - sys/rpc: UNIX auth: Use AUTH_SYS_MAX_{GROUPS,HOSTNAME} as limits (1/2) List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: dab039c0e9803f1b0cd30cf0719e8d70822fb88d Auto-Submitted: auto-generated Date: Fri, 19 Dec 2025 09:19:08 +0000 Message-Id: <6945188c.3cdd8.4b1fc87e@gitrepo.freebsd.org> The branch stable/14 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=dab039c0e9803f1b0cd30cf0719e8d70822fb88d commit dab039c0e9803f1b0cd30cf0719e8d70822fb88d Author: Olivier Certner AuthorDate: 2025-10-07 08:46:56 +0000 Commit: Olivier Certner CommitDate: 2025-12-19 09:16:44 +0000 sys/rpc: UNIX auth: Use AUTH_SYS_MAX_{GROUPS,HOSTNAME} as limits (1/2) Consistently with the XDR_INLINE() variant of xdr_authunix_parms() (_svcauth_unix() in 'svc_auth_unix.c'), reject messages with credentials having a machine name length in excess of AUTH_SYS_MAX_HOSTNAME or more than AUTH_SYS_MAX_GROUPS supplementary groups, which do not conform to RFC 5531. This is done mainly because we cannot store excess groups anyway, even if at odds with the robustness principle ("be liberal in what you accept"). While here, make sure the current code is immune to AUTH_SYS_MAX_GROUPS changing value (in future RFCs?) even if that seems improbable. Reviewed by: rmacklem Fixes: dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.") MFC after: 2 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D52962 (cherry picked from commit b119ef0f6a81eb32b0e1cd0075cec499543e7ddd) --- sys/rpc/authunix_prot.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/sys/rpc/authunix_prot.c b/sys/rpc/authunix_prot.c index f2749e68e763..5189a279da8b 100644 --- a/sys/rpc/authunix_prot.c +++ b/sys/rpc/authunix_prot.c @@ -54,9 +54,6 @@ static char *sccsid = "@(#)authunix_prot.c 2.1 88/07/29 4.0 RPCSRC"; #include -/* gids compose part of a credential; there may not be more than 16 of them */ -#define NGRPS 16 - /* * XDR for unix authentication parameters. */ @@ -69,13 +66,10 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) char hostbuf[MAXHOSTNAMELEN]; if (xdrs->x_op == XDR_ENCODE) { - /* - * Restrict name length to 255 according to RFC 1057. - */ getcredhostname(NULL, hostbuf, sizeof(hostbuf)); namelen = strlen(hostbuf); - if (namelen > 255) - namelen = 255; + if (namelen > AUTH_SYS_MAX_HOSTNAME) + namelen = AUTH_SYS_MAX_HOSTNAME; } else { namelen = 0; } @@ -91,6 +85,8 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) if (!xdr_opaque(xdrs, hostbuf, namelen)) return (FALSE); } else { + if (namelen > AUTH_SYS_MAX_HOSTNAME) + return (FALSE); xdr_setpos(xdrs, xdr_getpos(xdrs) + RNDUP(namelen)); } @@ -116,13 +112,30 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) */ MPASS(cred->cr_ngroups <= XU_NGROUPS); supp_ngroups = cred->cr_ngroups - 1; - if (supp_ngroups > NGRPS) - supp_ngroups = NGRPS; + if (supp_ngroups > AUTH_SYS_MAX_GROUPS) + /* With current values, this should never execute. */ + supp_ngroups = AUTH_SYS_MAX_GROUPS; } if (!xdr_uint32_t(xdrs, &supp_ngroups)) return (FALSE); + /* + * Because we cannot store more than XU_NGROUPS in total (16 at time of + * this writing), for now we choose to be strict with respect to RFC + * 5531's maximum number of supplementary groups (AUTH_SYS_MAX_GROUPS). + * That would also be an accidental DoS prevention measure if the + * request handling code didn't try to reassemble it in full without any + * size limits. Although AUTH_SYS_MAX_GROUPS and XU_NGROUPS are equal, + * since the latter includes the "effective" GID, we cannot store the + * last group of a message with exactly AUTH_SYS_MAX_GROUPS + * supplementary groups. We accept such messages so as not to violate + * the protocol, silently dropping the last group on the floor. + */ + + if (xdrs->x_op != XDR_ENCODE && supp_ngroups > AUTH_SYS_MAX_GROUPS) + return (FALSE); + junk = 0; for (i = 0; i < supp_ngroups; ++i) if (!xdr_uint32_t(xdrs, i < XU_NGROUPS - 1 ?