From nobody Mon Dec 13 23:24:50 2021 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 70BA618DFE30; Mon, 13 Dec 2021 23:24:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JCczl13rjz4Xcs; Mon, 13 Dec 2021 23:24:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id F12AB1D7AC; Mon, 13 Dec 2021 23:24:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BDNOo6q004809; Mon, 13 Dec 2021 23:24:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BDNOoYW004808; Mon, 13 Dec 2021 23:24:50 GMT (envelope-from git) Date: Mon, 13 Dec 2021 23:24:50 GMT Message-Id: <202112132324.1BDNOoYW004808@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Rick Macklem Subject: git: c302f889e21f - main - nfsd: Limit parsing of layout errors to maxcnt bytes List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c302f889e21f73746a3b0917df5246e639df1481 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639437891; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/9onId0YuLMcz5037eDkkVFUmS7C/Hz6mHyev91t9YE=; b=vNJ+XDxPts7OkJ9m0cLg7LNlukm/fmGz9Xf28G1vQP3hGR5fw4IX7T1X3LC9+u5XV1CBC8 nJY032WNEFG3vNEwtcTy9OdTvQs0F5ptSZGcFh7iV+x8pXjBCEX6+zcPFvtVP53KNaMZqc eu/EmERnlnRT6sHrqg3nLlVykQvAhIoaoOLQYwNBG2KqFyVMxknoIoi90yybYXU48MUamR GNqUdND//JP/YJwN/j6GZJ7hTUG0RsqPESJ3H7Fmt5hNAeIZUSmsx0NwXE/L9gUdbLHDDf JZbWa7zGmyTSdnZeWqoCifsenFoOM6hDfZcmYBQCnUhE3v50MsddbzeDvaoAEw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639437891; a=rsa-sha256; cv=none; b=cTY9riN8TeOod6FKa/pNDdjMBNpOe6FjyOrxZwSOdPeO0yPAa2z56O16UXhhiTbVLkhoWe VcH7t1zid9bSXJEBSyRALDv3b6tI8uRQIfTPP8S/0mfLa1yahkiWQqsA7DqY6ImR6COOMK UyJEAr7FBAmKpy7CXDBPq7Wi7KbsDypyMAcd9U2vALJc4H8QnUu8KHXk9VIPxEGVILUEfS Gxb/wRM7NVMXB06jEgDoxSjHXfqNUJeYS0Ga932AWBLtqLWzFD5X+KLHCKsUu3RXYcdywc hlFYan/BoD12OeF717P3o4xWnJtbhiI6OqMoBiq52UKq5RLcpflHEo0VEqnrcQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=c302f889e21f73746a3b0917df5246e639df1481 commit c302f889e21f73746a3b0917df5246e639df1481 Author: Rick Macklem AuthorDate: 2021-12-13 23:21:31 +0000 Commit: Rick Macklem CommitDate: 2021-12-13 23:21:31 +0000 nfsd: Limit parsing of layout errors to maxcnt bytes This patch decrements maxcnt by the appropriate number of bytes during parsing and checks to see if there is data remaining. If not, it just returns from nfsrv_flexlayouterr() without further processing. This prevents the tl pointer from running off the end of the error data pointed at by layp, if there are flaws in the data. Reported by: rtm@lcs.mit.edu Tested by: rtm@lcs.mit.edu PR: 260293 MFC after: 2 weeks --- sys/fs/nfsserver/nfs_nfsdstate.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/sys/fs/nfsserver/nfs_nfsdstate.c b/sys/fs/nfsserver/nfs_nfsdstate.c index 4cfac532f063..e7256345f11f 100644 --- a/sys/fs/nfsserver/nfs_nfsdstate.c +++ b/sys/fs/nfsserver/nfs_nfsdstate.c @@ -7001,14 +7001,25 @@ nfsrv_flexlayouterr(struct nfsrv_descript *nd, uint32_t *layp, int maxcnt, char devid[NFSX_V4DEVICEID]; tl = layp; - cnt = fxdr_unsigned(int, *tl++); + maxcnt -= NFSX_UNSIGNED; + if (maxcnt > 0) + cnt = fxdr_unsigned(int, *tl++); + else + cnt = 0; NFSD_DEBUG(4, "flexlayouterr cnt=%d\n", cnt); for (i = 0; i < cnt; i++) { + maxcnt -= NFSX_STATEID + 2 * NFSX_HYPER + + NFSX_UNSIGNED; + if (maxcnt <= 0) + break; /* Skip offset, length and stateid for now. */ tl += (4 + NFSX_STATEID / NFSX_UNSIGNED); errcnt = fxdr_unsigned(int, *tl++); NFSD_DEBUG(4, "flexlayouterr errcnt=%d\n", errcnt); for (j = 0; j < errcnt; j++) { + maxcnt -= NFSX_V4DEVICEID + 2 * NFSX_UNSIGNED; + if (maxcnt < 0) + break; NFSBCOPY(tl, devid, NFSX_V4DEVICEID); tl += (NFSX_V4DEVICEID / NFSX_UNSIGNED); stat = fxdr_unsigned(int, *tl++);