From nobody Thu Oct 30 01:03:57 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cxm8Y5W6Jz6DNl1;
	Thu, 30 Oct 2025 01:03:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cxm8Y4tfcz3c2L;
	Thu, 30 Oct 2025 01:03:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1761786237;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EMxd42P2zHqd5c9CHHCFpqGOO96wnMUMcJ7H/3ax5Ek=;
	b=r8wbXjx3DOSV/hAEc6tgmwCcyyBMDvXrUL4UR5xyGYikGRc438sq8LWOED9oEmKISoke9N
	8DUHLs0kAd+lMZiAPbBo/ZiFFrJMO37yAOMV+gcIjzaNp19FTkW9V4MPLuEGfDcPYbXWVK
	rk3RKvWN/y1UMR25Q9apQux56VksCl3ttJZd9d77mKYZiwKx5FQNnyzLw3upDOYCxwSnCS
	Xfm+qknxXXeqbatKlmzKLTgdhaZIxo6AXpc2iXn7h+x6tYjR/iq4KS3IO5cVLd3jnLgdPh
	wQ8oimjCQiCMkAfDfxxUlP+gZdmN5VsEpJEJIOzl9K832RLV7STYKknQ12Ejjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1761786237;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EMxd42P2zHqd5c9CHHCFpqGOO96wnMUMcJ7H/3ax5Ek=;
	b=eRWALASMaB37HNn0FL+aou0ixvmFIWpQ1NxfCpkKn8mv76JmRfSksqtUHjKG3O6sUfYzAG
	bbIiHRbdVbYhZvB+RcnquiqYHPR9AloOvgZ81ec4P7eWLqgigi6mjzRU/DyPeR6JlNpfK9
	GByMCMV8Ops8g9tFhKVJQrXtRBWtSxWEgRbSGHtPcpCaf+qRrd3atoAFXd0vBf6ZDqnZ4o
	xWdNwRCBysek3PBWFS2zvXvkdkCEuG13WZT6jmfYJSXBhojjWRn7ZeTYI56qsc2ATCD9a3
	97JBHwnf7aUo9zT/ga5lLjaxsoRQFdfSY8gHx+T1D0YwinP7BQYvLYr7ALw6tQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761786237; a=rsa-sha256; cv=none;
	b=mJVfbHDCCydosySNu5K0829IlSDiZ9UAGkX1Ww/ScyoY5w+0KvFwYZi4JQS4AWY9Qpig5L
	E9CDKKQmzAik7mIC7dwAaqsxGIMPt5Bpz6tEXWJ6OIsdR34gfB023dvlyN0q98WGrhb293
	B5CfcAuUK257fI5gPUx8LnhoeJYJlWI5vTQRWrXBgomjsPXTvwU49atqJ+6L5waGmjXKAy
	iprMccVV6ZkPgbY7IDXejsYatufaihVVYKxNYwAfUVbuDzmBgX/EoCSb3bp5uQC4kxmWFA
	8ZRRhXzv+z4MOS9KT0KoYPxfNf96L2vbMA1eP5o4rQsjeqW5Q1XbxqUz/W9eCg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cxm8Y49q5z119q;
	Thu, 30 Oct 2025 01:03:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59U13vx4006956;
	Thu, 30 Oct 2025 01:03:57 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59U13vKi006953;
	Thu, 30 Oct 2025 01:03:57 GMT
	(envelope-from git)
Date: Thu, 30 Oct 2025 01:03:57 GMT
Message-Id: <202510300103.59U13vKi006953@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Rick Macklem <rmacklem@FreeBSD.org>
Subject: git: 609c4eb70afe - stable/15 - nfs_clrpcops.c: Fix two
  possible large NFSM_DISSECT()s
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rmacklem
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 609c4eb70afeb713ab38efcb34c55cfa71a5838a
Auto-Submitted: auto-generated

The branch stable/15 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=609c4eb70afeb713ab38efcb34c55cfa71a5838a

commit 609c4eb70afeb713ab38efcb34c55cfa71a5838a
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:43:02 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-30 01:00:53 +0000

    nfs_clrpcops.c: Fix two possible large NFSM_DISSECT()s
    
    There are two cases in nfs_clrpcops.c where it was possible
    for the code to attempt to NFSM_DISSECT() a large size,
    which is not allowed by nfsm_dissct().
    
    This patch fixes them.
    
    Reducing the maximum stripecnt should be no problem,
    since there in no extant NFSv4.n server that does striped
    File Layout pNFS and current development is centered
    around the Flex File layout.
    
    (cherry picked from commit b9e6206f593385c80436d267ab759319c1e94e43)
---
 sys/fs/nfsclient/nfs_clrpcops.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index efc0c31fc589..06e9d9f87628 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -5804,7 +5804,8 @@ nfsrpc_getdeviceinfo(struct nfsmount *nmp, uint8_t *deviceid, int layouttype,
 			NFSM_DISSECT(tl, uint32_t *, NFSX_UNSIGNED);
 			stripecnt = fxdr_unsigned(int, *tl);
 			NFSCL_DEBUG(4, "stripecnt=%d\n", stripecnt);
-			if (stripecnt < 1 || stripecnt > 4096) {
+			if (stripecnt >= MHLEN / NFSX_UNSIGNED ||
+			    stripecnt < 1) {
 				printf("pNFS File layout devinfo stripecnt %d:"
 				    " out of range\n", stripecnt);
 				error = NFSERR_BADXDR;
@@ -8250,7 +8251,7 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp,
     NFSPROC_T *p)
 {
 	uint32_t *tl;
-	char *cp, *str, str0[NFSV4_SMALLSTR + 1];
+	char *str, str0[NFSV4_SMALLSTR + 1];
 	uint32_t len = 0;
 	int error = 0;
 
@@ -8273,9 +8274,9 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp,
 		str = malloc(len + 1, M_TEMP, M_WAITOK);
 	else
 		str = str0;
-	NFSM_DISSECT(cp, char *, NFSM_RNDUP(len));
-	NFSBCOPY(cp, str, len);
-	str[len] = '\0';
+	error = nfsrv_mtostr(nd, str, len);
+	if (error != 0)
+		goto nfsmout;
 	NFSCL_DEBUG(4, "nfsrv_parseug: str=%s\n", str);
 	if (dogrp != 0)
 		error = nfsv4_strtogid(nd, str, len, gidp);