Date: Fri, 7 Oct 2016 14:46:34 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r306809 - stable/10/sys/fs/nfs Message-ID: <201610071446.u97EkYgu070845@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Fri Oct 7 14:46:34 2016 New Revision: 306809 URL: https://svnweb.freebsd.org/changeset/base/306809 Log: MFC r299199: Add nid_namelen bounds check to nfssvc system call This is only allowed by root and only used by the nfs daemon, which should not provide an incorrect value. However, it's still good practice to validate data provided by userland. PR: 206626 Modified: stable/10/sys/fs/nfs/nfs_commonsubs.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/fs/nfs/nfs_commonsubs.c ============================================================================== --- stable/10/sys/fs/nfs/nfs_commonsubs.c Fri Oct 7 13:43:38 2016 (r306808) +++ stable/10/sys/fs/nfs/nfs_commonsubs.c Fri Oct 7 14:46:34 2016 (r306809) @@ -3167,6 +3167,10 @@ nfssvc_idname(struct nfsd_idargs *nidp) static int onethread = 0; static time_t lasttime = 0; + if (nidp->nid_namelen <= 0 || nidp->nid_namelen > MAXHOSTNAMELEN) { + error = EINVAL; + goto out; + } if (nidp->nid_flag & NFSID_INITIALIZE) { cp = malloc(nidp->nid_namelen + 1, M_NFSSTRING, M_WAITOK); error = copyin(CAST_USER_ADDR_T(nidp->nid_name), cp,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201610071446.u97EkYgu070845>