Date: Mon, 3 Nov 2025 20:29:42 GMT From: Colin Percival <cperciva@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 82579ee1f0f8 - releng/15.0 - nfs_clrpcops.c: Fix two possible large NFSM_DISSECT()s Message-ID: <202511032029.5A3KTgIK050980@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch releng/15.0 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=82579ee1f0f88c8e38f6c9dfe21b52f59b23a769 commit 82579ee1f0f88c8e38f6c9dfe21b52f59b23a769 Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2025-10-27 14:43:02 +0000 Commit: Colin Percival <cperciva@FreeBSD.org> CommitDate: 2025-11-03 20:28:49 +0000 nfs_clrpcops.c: Fix two possible large NFSM_DISSECT()s There are two cases in nfs_clrpcops.c where it was possible for the code to attempt to NFSM_DISSECT() a large size, which is not allowed by nfsm_dissct(). This patch fixes them. Reducing the maximum stripecnt should be no problem, since there in no extant NFSv4.n server that does striped File Layout pNFS and current development is centered around the Flex File layout. Approved by: re (cperciva) (cherry picked from commit b9e6206f593385c80436d267ab759319c1e94e43) (cherry picked from commit 609c4eb70afeb713ab38efcb34c55cfa71a5838a) --- sys/fs/nfsclient/nfs_clrpcops.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c index efc0c31fc589..06e9d9f87628 100644 --- a/sys/fs/nfsclient/nfs_clrpcops.c +++ b/sys/fs/nfsclient/nfs_clrpcops.c @@ -5804,7 +5804,8 @@ nfsrpc_getdeviceinfo(struct nfsmount *nmp, uint8_t *deviceid, int layouttype, NFSM_DISSECT(tl, uint32_t *, NFSX_UNSIGNED); stripecnt = fxdr_unsigned(int, *tl); NFSCL_DEBUG(4, "stripecnt=%d\n", stripecnt); - if (stripecnt < 1 || stripecnt > 4096) { + if (stripecnt >= MHLEN / NFSX_UNSIGNED || + stripecnt < 1) { printf("pNFS File layout devinfo stripecnt %d:" " out of range\n", stripecnt); error = NFSERR_BADXDR; @@ -8250,7 +8251,7 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp, NFSPROC_T *p) { uint32_t *tl; - char *cp, *str, str0[NFSV4_SMALLSTR + 1]; + char *str, str0[NFSV4_SMALLSTR + 1]; uint32_t len = 0; int error = 0; @@ -8273,9 +8274,9 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp, str = malloc(len + 1, M_TEMP, M_WAITOK); else str = str0; - NFSM_DISSECT(cp, char *, NFSM_RNDUP(len)); - NFSBCOPY(cp, str, len); - str[len] = '\0'; + error = nfsrv_mtostr(nd, str, len); + if (error != 0) + goto nfsmout; NFSCL_DEBUG(4, "nfsrv_parseug: str=%s\n", str); if (dogrp != 0) error = nfsv4_strtogid(nd, str, len, gidp);home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202511032029.5A3KTgIK050980>