From owner-svn-src-all@freebsd.org Fri Oct 7 14:46:35 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5808CC04E3D; Fri, 7 Oct 2016 14:46:35 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 27AC6B23; Fri, 7 Oct 2016 14:46:35 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u97EkYqe070846; Fri, 7 Oct 2016 14:46:34 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u97EkYgu070845; Fri, 7 Oct 2016 14:46:34 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201610071446.u97EkYgu070845@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Fri, 7 Oct 2016 14:46:34 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r306809 - stable/10/sys/fs/nfs X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2016 14:46:35 -0000 Author: emaste Date: Fri Oct 7 14:46:34 2016 New Revision: 306809 URL: https://svnweb.freebsd.org/changeset/base/306809 Log: MFC r299199: Add nid_namelen bounds check to nfssvc system call This is only allowed by root and only used by the nfs daemon, which should not provide an incorrect value. However, it's still good practice to validate data provided by userland. PR: 206626 Modified: stable/10/sys/fs/nfs/nfs_commonsubs.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/fs/nfs/nfs_commonsubs.c ============================================================================== --- stable/10/sys/fs/nfs/nfs_commonsubs.c Fri Oct 7 13:43:38 2016 (r306808) +++ stable/10/sys/fs/nfs/nfs_commonsubs.c Fri Oct 7 14:46:34 2016 (r306809) @@ -3167,6 +3167,10 @@ nfssvc_idname(struct nfsd_idargs *nidp) static int onethread = 0; static time_t lasttime = 0; + if (nidp->nid_namelen <= 0 || nidp->nid_namelen > MAXHOSTNAMELEN) { + error = EINVAL; + goto out; + } if (nidp->nid_flag & NFSID_INITIALIZE) { cp = malloc(nidp->nid_namelen + 1, M_NFSSTRING, M_WAITOK); error = copyin(CAST_USER_ADDR_T(nidp->nid_name), cp,