Date: Fri, 6 May 2016 21:19:28 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r299199 - head/sys/fs/nfs Message-ID: <201605062119.u46LJSww012861@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Fri May 6 21:19:28 2016 New Revision: 299199 URL: https://svnweb.freebsd.org/changeset/base/299199 Log: Add nid_namelen bounds check to nfssvc system call This is only allowed by root and only used by the nfs daemon, which should not provide an incorrect value. However, it's still good practice to validate data provided by userland. PR: 206626 Reported by: CTurt <cturt@hardenedbsd.org> Reviewed by: rmacklem MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D6201 Modified: head/sys/fs/nfs/nfs_commonsubs.c Modified: head/sys/fs/nfs/nfs_commonsubs.c ============================================================================== --- head/sys/fs/nfs/nfs_commonsubs.c Fri May 6 20:57:41 2016 (r299198) +++ head/sys/fs/nfs/nfs_commonsubs.c Fri May 6 21:19:28 2016 (r299199) @@ -3174,6 +3174,10 @@ nfssvc_idname(struct nfsd_idargs *nidp) static int onethread = 0; static time_t lasttime = 0; + if (nidp->nid_namelen <= 0 || nidp->nid_namelen > MAXHOSTNAMELEN) { + error = EINVAL; + goto out; + } if (nidp->nid_flag & NFSID_INITIALIZE) { cp = malloc(nidp->nid_namelen + 1, M_NFSSTRING, M_WAITOK); error = copyin(CAST_USER_ADDR_T(nidp->nid_name), cp,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605062119.u46LJSww012861>