Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 Oct 2025 14:05:46 GMT
From:      Rick Macklem <rmacklem@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 83a0732a4cfe - stable/15 - nfs_commonsubs.c: Add a sanity check for nid_ngroup
Message-ID:  <202510301405.59UE5kYp077791@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/15 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=83a0732a4cfe9f2846e144b39ebe517cbe395fac

commit 83a0732a4cfe9f2846e144b39ebe517cbe395fac
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-28 14:44:14 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-30 14:02:49 +0000

    nfs_commonsubs.c: Add a sanity check for nid_ngroup
    
    The nfsuserd(8) daemon passes user credentials
    (uid + gids) into the kernel for users and groups
    identified by name (received from a NFSv4 server).
    
    This patch add a sanity check for the number of
    groups (nid_ngroup) passed in.
    
    It's only purpose is to protect against a bogus
    nfsuserd(8) running in a jail.
    
    (cherry picked from commit 4672adcea4cf3c0c626d186f1f41c69552d915f1)
---
 sys/fs/nfs/nfs_commonsubs.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
index 7f5b29ca2085..dd3b8b4f1708 100644
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@@ -4165,10 +4165,15 @@ nfssvc_idname(struct nfsd_idargs *nidp)
 	    nidp->nid_namelen);
 	if (error == 0 && nidp->nid_ngroup > 0 &&
 	    (nidp->nid_flag & NFSID_ADDUID) != 0) {
-		grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
-		    M_WAITOK);
-		error = copyin(nidp->nid_grps, grps,
-		    sizeof(gid_t) * nidp->nid_ngroup);
+		grps = NULL;
+		if (nidp->nid_ngroup > NGROUPS_MAX)
+			error = EINVAL;
+		if (error == 0) {
+			grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
+			    M_WAITOK);
+			error = copyin(nidp->nid_grps, grps,
+			    sizeof(gid_t) * nidp->nid_ngroup);
+		}
 		if (error == 0) {
 			/*
 			 * Create a credential just like svc_getcred(),
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510301405.59UE5kYp077791>