From nobody Thu Oct 16 16:58:22 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cnZ0H3fw6z6Cnj6; Thu, 16 Oct 2025 16:58:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cnZ0G4v2xz3k7R; Thu, 16 Oct 2025 16:58:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760633902; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=EHdhCOHiIzx7zVdzE2qzqEzrVWDeLYb59xtDpAZ1DXI=; b=W+g9cvuDwQ+ksjdiqETiezxDlYGw54qb+o4G+iKaNRyIo+iXl729vgbr/0Kjja84lsrxvp EJif+CsbCUv9BoxB7qPUBjTgnJ1R2V0ezL9sFNmA852kDX8kgkJAGwkSb1NHBkTpGQvsnF +8/TShpsp133Oi0BSVp3Isbo4EOTgN8HjlVbbjK+mNmMPii3MAcE3QL20hyN4FbgpmKe5I LPuSAniCkgN+csW3q85J34Wdx4fz0zn/cZzoYPdt12nEUe10X9bKqYRB5VIV4UaR/I+JLo K3wj6lncjJndqY/Qs837TtYMKiFcfKWnTwxtS976WcDp9+sZktyg2CE3bja81w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760633902; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=EHdhCOHiIzx7zVdzE2qzqEzrVWDeLYb59xtDpAZ1DXI=; b=XdBPJxVxY3Ew6AcuuLw+de2oT70gbSGalmoCaOj/plwLThBYG/7Sg96HlRTySVknpK3uVP mLenPUGUGwRqKwsneNNJ9CwnoPzPPpISb1YyXyacTFegKpM7/dUmEq9r2hbXkHgshpLHSk 5GydTti/tu9jlwi/6sUNngtqanYUz+x8dBjTCN4gsgT3C5JD8rQxifg3uaC5e0lCSS89LQ gYLrTdJq1aBencG7HcP2RoOYOYMdHfccMQZVfr0lscVFE8XMBX+1ikgNUUPYuZh+WkAguQ dsxy+X3E2z4tUXMkl4DfMAYVYhLQpEcq51T3gOOq4V9kALnbpLybHifSFrmysA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1760633902; a=rsa-sha256; cv=none; b=u/JU3P/M4AhwogSRr4RiY3P7GGGHI8PhlcLD3oBnqB0Jh925KM0Pwftm447vh3kHJ2B9or 5693cdPKaMrmlrsKfQoA8/jppUWeJZK1DmgsSiW2JwXs+aGs1NYvziQ0kZfEeZ2EAwvXCg AosBn5OqvREuh/1atxKwm173O3n85lBhFR3uuowa+bg8bHuN+acOX95qygeK00wPEcc5yk SqAEb9J81bRoZfQmcVeJJsdBnGwJJgJDr4oIt244jItdNvzNCx/ySNdNCgBmQ9YQIuOrUQ hthUte1KjorUIp3UQ1U5IhO3T6bZeE8uhqaBAB1f1xD50FFBoJriNvVHGONXYw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cnZ0G3nhLz2Cd; Thu, 16 Oct 2025 16:58:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59GGwMXc055806; Thu, 16 Oct 2025 16:58:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59GGwMPh055803; Thu, 16 Oct 2025 16:58:22 GMT (envelope-from git) Date: Thu, 16 Oct 2025 16:58:22 GMT Message-Id: <202510161658.59GGwMPh055803@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 34fc20503f04 - stable/15 - sys/rpc: UNIX auth: Use AUTH_SYS_MAX_{GROUPS,HOSTNAME} as limits (1/2) List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 34fc20503f04e3c035844f4bfa8eb72964ccbf68 Auto-Submitted: auto-generated The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=34fc20503f04e3c035844f4bfa8eb72964ccbf68 commit 34fc20503f04e3c035844f4bfa8eb72964ccbf68 Author: Olivier Certner AuthorDate: 2025-10-07 08:46:56 +0000 Commit: Olivier Certner CommitDate: 2025-10-16 16:57:45 +0000 sys/rpc: UNIX auth: Use AUTH_SYS_MAX_{GROUPS,HOSTNAME} as limits (1/2) Consistently with the XDR_INLINE() variant of xdr_authunix_parms() (_svcauth_unix() in 'svc_auth_unix.c'), reject messages with credentials having a machine name length in excess of AUTH_SYS_MAX_HOSTNAME or more than AUTH_SYS_MAX_GROUPS supplementary groups, which do not conform to RFC 5531. This is done mainly because we cannot store excess groups anyway, even if at odds with the robustness principle ("be liberal in what you accept"). While here, make sure the current code is immune to AUTH_SYS_MAX_GROUPS changing value (in future RFCs?) even if that seems improbable. Reviewed by: rmacklem Fixes: dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.") MFC after: 2 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D52962 (cherry picked from commit b119ef0f6a81eb32b0e1cd0075cec499543e7ddd) --- sys/rpc/authunix_prot.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/sys/rpc/authunix_prot.c b/sys/rpc/authunix_prot.c index 89f0ab3ed44e..c1a9f90bbe28 100644 --- a/sys/rpc/authunix_prot.c +++ b/sys/rpc/authunix_prot.c @@ -50,9 +50,6 @@ #include -/* gids compose part of a credential; there may not be more than 16 of them */ -#define NGRPS 16 - /* * XDR for unix authentication parameters. */ @@ -65,13 +62,10 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) char hostbuf[MAXHOSTNAMELEN]; if (xdrs->x_op == XDR_ENCODE) { - /* - * Restrict name length to 255 according to RFC 1057. - */ getcredhostname(NULL, hostbuf, sizeof(hostbuf)); namelen = strlen(hostbuf); - if (namelen > 255) - namelen = 255; + if (namelen > AUTH_SYS_MAX_HOSTNAME) + namelen = AUTH_SYS_MAX_HOSTNAME; } else { namelen = 0; } @@ -87,6 +81,8 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) if (!xdr_opaque(xdrs, hostbuf, namelen)) return (FALSE); } else { + if (namelen > AUTH_SYS_MAX_HOSTNAME) + return (FALSE); xdr_setpos(xdrs, xdr_getpos(xdrs) + RNDUP(namelen)); } @@ -112,13 +108,30 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) */ MPASS(cred->cr_ngroups <= XU_NGROUPS); supp_ngroups = cred->cr_ngroups - 1; - if (supp_ngroups > NGRPS) - supp_ngroups = NGRPS; + if (supp_ngroups > AUTH_SYS_MAX_GROUPS) + /* With current values, this should never execute. */ + supp_ngroups = AUTH_SYS_MAX_GROUPS; } if (!xdr_uint32_t(xdrs, &supp_ngroups)) return (FALSE); + /* + * Because we cannot store more than XU_NGROUPS in total (16 at time of + * this writing), for now we choose to be strict with respect to RFC + * 5531's maximum number of supplementary groups (AUTH_SYS_MAX_GROUPS). + * That would also be an accidental DoS prevention measure if the + * request handling code didn't try to reassemble it in full without any + * size limits. Although AUTH_SYS_MAX_GROUPS and XU_NGROUPS are equal, + * since the latter includes the "effective" GID, we cannot store the + * last group of a message with exactly AUTH_SYS_MAX_GROUPS + * supplementary groups. We accept such messages so as not to violate + * the protocol, silently dropping the last group on the floor. + */ + + if (xdrs->x_op != XDR_ENCODE && supp_ngroups > AUTH_SYS_MAX_GROUPS) + return (FALSE); + junk = 0; for (i = 0; i < supp_ngroups; ++i) if (!xdr_uint32_t(xdrs, i < XU_NGROUPS - 1 ?