From nobody Thu Oct 30 01:23:28 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cxmb50DnZz6DQgP;
	Thu, 30 Oct 2025 01:23:29 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cxmb45F5Kz3jZ1;
	Thu, 30 Oct 2025 01:23:28 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1761787408;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=fXbsJimxEQVh92IE0PFuXVND5p/adIP7AwXZw2BzSkI=;
	b=YJnn1E0tBdw973ARpOwt3bbf1whIZYhdlOHSHPzkcyFpwqCwRW4jEaUgv5aDSpXeXXFW4N
	OO/Vr7eVlUvRzJlErU2DQvx+Zl8dTmZMnvdacHA1/HbI+NlFkQhTAhTfNCQVyvH1OTnQts
	JpUVDxGk+1ZcqF4MGTYRIwUdJFNy3dENeY1dpC0Q4gf78lcRSqKi+m5ZFpeXetaWEkhvvH
	qGnATExsj6Mzf7IvTD6JjY7pev2ZyC+T6KoIDeveqLCDqxd53RGWfLMz83xFrnzAL3+M8V
	oIPFNjlJ160c+hTl3l+B401mHXfIIMP+62jqkcQhRtLPg1p5Sn7pJW5DE3nQXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1761787408;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=fXbsJimxEQVh92IE0PFuXVND5p/adIP7AwXZw2BzSkI=;
	b=C7RIvIpG3rqqa1mqCtamcLHjrLvvSp1Hml91dkoYJrTaOw76iyEscPfQR4mbHbhcco+unk
	YVL42QYeqKzEUjFQyhtEyIHYAfc7gGk2JTJinxtjgYwzUAviCSfObgcNuTXEawWWCnpIUi
	15WxOyvsL9m5wtO7zieJhE0ykk5WfWgQz4Jp+kv1WagZQs3ANo4XPvyFopfn5Ija2d4ni+
	gqCPtlJWFwKQj4EQgPIsKkAlbNGUvinCT5noBeRovKnZexud3wErAdCtosBKcOrlp5aW2P
	gHsG76H75fuNXwi4wlqZoaY16QgHNW+XDKH4NakstMIA8CfuCYsVW83PRpuI/g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761787408; a=rsa-sha256; cv=none;
	b=QotSVFdZvfzWur7ppAzpcJJkrl2hna3/uCsDZS1EO7gge9WG8uZes/7TYmDAbz05mGKQTU
	YU0Vl+ZRVVPE+Y0RyuXzJVyPk1dKs99Bc/XzOSTSRuaXC2W+8G/Ddq8pPnfvO1KoE52x/S
	W7kuFw5dEpTquq8tqf7qrHadtTg3VCJB3kFPNXO93EmeG+QyqpSf3Nsk0VtdtfFp602o7a
	EIbzqzI8x+orl8bi95CH9TZ3SgHy6a6genlhIqu/MCnguQb6IWJQVgPvzzPAVB1ZSESey9
	uFIpDNw6cWhVT3xt4eGkJK7lamKXSU+6RPPDOhoAYwPpRfP5bPrRQagh3/h+3w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cxmb44r5qz11jl;
	Thu, 30 Oct 2025 01:23:28 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59U1NSQp044378;
	Thu, 30 Oct 2025 01:23:28 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59U1NS2V044375;
	Thu, 30 Oct 2025 01:23:28 GMT
	(envelope-from git)
Date: Thu, 30 Oct 2025 01:23:28 GMT
Message-Id: <202510300123.59U1NS2V044375@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Rick Macklem <rmacklem@FreeBSD.org>
Subject: git: 4f7bd8c77981 - stable/14 - nfs_clrpcops.c: Fix two
  possible large NFSM_DISSECT()s
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rmacklem
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 4f7bd8c77981704759f731b5b84896f90b28fa6a
Auto-Submitted: auto-generated

The branch stable/14 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=4f7bd8c77981704759f731b5b84896f90b28fa6a

commit 4f7bd8c77981704759f731b5b84896f90b28fa6a
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:43:02 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-30 01:20:54 +0000

    nfs_clrpcops.c: Fix two possible large NFSM_DISSECT()s
    
    There are two cases in nfs_clrpcops.c where it was possible
    for the code to attempt to NFSM_DISSECT() a large size,
    which is not allowed by nfsm_dissct().
    
    This patch fixes them.
    
    Reducing the maximum stripecnt should be no problem,
    since there in no extant NFSv4.n server that does striped
    File Layout pNFS and current development is centered
    around the Flex File layout.
    
    (cherry picked from commit b9e6206f593385c80436d267ab759319c1e94e43)
---
 sys/fs/nfsclient/nfs_clrpcops.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index 527c6b6928ac..bc8611f4c119 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -5678,7 +5678,8 @@ nfsrpc_getdeviceinfo(struct nfsmount *nmp, uint8_t *deviceid, int layouttype,
 			NFSM_DISSECT(tl, uint32_t *, NFSX_UNSIGNED);
 			stripecnt = fxdr_unsigned(int, *tl);
 			NFSCL_DEBUG(4, "stripecnt=%d\n", stripecnt);
-			if (stripecnt < 1 || stripecnt > 4096) {
+			if (stripecnt >= MHLEN / NFSX_UNSIGNED ||
+			    stripecnt < 1) {
 				printf("pNFS File layout devinfo stripecnt %d:"
 				    " out of range\n", stripecnt);
 				error = NFSERR_BADXDR;
@@ -8124,7 +8125,7 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp,
     NFSPROC_T *p)
 {
 	uint32_t *tl;
-	char *cp, *str, str0[NFSV4_SMALLSTR + 1];
+	char *str, str0[NFSV4_SMALLSTR + 1];
 	uint32_t len = 0;
 	int error = 0;
 
@@ -8147,9 +8148,9 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp,
 		str = malloc(len + 1, M_TEMP, M_WAITOK);
 	else
 		str = str0;
-	NFSM_DISSECT(cp, char *, NFSM_RNDUP(len));
-	NFSBCOPY(cp, str, len);
-	str[len] = '\0';
+	error = nfsrv_mtostr(nd, str, len);
+	if (error != 0)
+		goto nfsmout;
 	NFSCL_DEBUG(4, "nfsrv_parseug: str=%s\n", str);
 	if (dogrp != 0)
 		error = nfsv4_strtogid(nd, str, len, gidp);