From owner-svn-src-stable@FreeBSD.ORG  Tue Apr 20 01:25:18 2010
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 852941065675;
	Tue, 20 Apr 2010 01:25:18 +0000 (UTC)
	(envelope-from rmacklem@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 6A76B8FC08;
	Tue, 20 Apr 2010 01:25:18 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o3K1PIi7073602;
	Tue, 20 Apr 2010 01:25:18 GMT
	(envelope-from rmacklem@svn.freebsd.org)
Received: (from rmacklem@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id o3K1PIk7073600;
	Tue, 20 Apr 2010 01:25:18 GMT
	(envelope-from rmacklem@svn.freebsd.org)
Message-Id: <201004200125.o3K1PIk7073600@svn.freebsd.org>
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Tue, 20 Apr 2010 01:25:18 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r206882 - stable/8/sys/fs/nfsserver
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
	<svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>, 
	<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
	<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 01:25:18 -0000

Author: rmacklem
Date: Tue Apr 20 01:25:18 2010
New Revision: 206882
URL: http://svn.freebsd.org/changeset/base/206882

Log:
  MFC: r206236
  Harden the experimental NFS server a little, by adding range
  checks on the length of the client's open/lock owner name. Also,
  add free()'s for one case where they were missing and would
  have caused a leak if NFSERR_BADXDR had been replied. Probably
  never happens, but the leak is now plugged, just in case.

Modified:
  stable/8/sys/fs/nfsserver/nfs_nfsdserv.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/dev/uath/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)
  stable/8/sys/dev/xen/xenpci/   (props changed)

Modified: stable/8/sys/fs/nfsserver/nfs_nfsdserv.c
==============================================================================
--- stable/8/sys/fs/nfsserver/nfs_nfsdserv.c	Tue Apr 20 01:12:23 2010	(r206881)
+++ stable/8/sys/fs/nfsserver/nfs_nfsdserv.c	Tue Apr 20 01:25:18 2010	(r206882)
@@ -2086,6 +2086,10 @@ nfsrvd_lock(struct nfsrv_descript *nd, _
 	if (flags & NFSLCK_OPENTOLOCK) {
 		NFSM_DISSECT(tl, u_int32_t *, 5 * NFSX_UNSIGNED + NFSX_STATEID);
 		i = fxdr_unsigned(int, *(tl+4+(NFSX_STATEID / NFSX_UNSIGNED)));
+		if (i <= 0 || i > NFSV4_OPAQUELIMIT) {
+			nd->nd_repstat = NFSERR_BADXDR;
+			goto nfsmout;
+		}
 		MALLOC(stp, struct nfsstate *, sizeof (struct nfsstate) + i,
 			M_NFSDSTATE, M_WAITOK);
 		stp->ls_ownerlen = i;
@@ -2229,6 +2233,10 @@ nfsrvd_lockt(struct nfsrv_descript *nd, 
 
 	NFSM_DISSECT(tl, u_int32_t *, 8 * NFSX_UNSIGNED);
 	i = fxdr_unsigned(int, *(tl + 7));
+	if (i <= 0 || i > NFSV4_OPAQUELIMIT) {
+		nd->nd_repstat = NFSERR_BADXDR;
+		goto nfsmout;
+	}
 	MALLOC(stp, struct nfsstate *, sizeof (struct nfsstate) + i,
 	    M_NFSDSTATE, M_WAITOK);
 	stp->ls_ownerlen = i;
@@ -2350,6 +2358,8 @@ nfsrvd_locku(struct nfsrv_descript *nd, 
 		break;
 	default:
 		nd->nd_repstat = NFSERR_BADXDR;
+		free(stp, M_NFSDSTATE);
+		free(lop, M_NFSDLOCK);
 		goto nfsmout;
 	};
 	stp->ls_ownerlen = 0;
@@ -2439,6 +2449,14 @@ nfsrvd_open(struct nfsrv_descript *nd, _
 	named.ni_cnd.cn_nameiop = 0;
 	NFSM_DISSECT(tl, u_int32_t *, 6 * NFSX_UNSIGNED);
 	i = fxdr_unsigned(int, *(tl + 5));
+	if (i <= 0 || i > NFSV4_OPAQUELIMIT) {
+		nd->nd_repstat = NFSERR_BADXDR;
+		vrele(dp);
+#ifdef NFS4_ACL_EXTATTR_NAME
+		acl_free(aclp);
+#endif
+		return (0);
+	}
 	MALLOC(stp, struct nfsstate *, sizeof (struct nfsstate) + i,
 	    M_NFSDSTATE, M_WAITOK);
 	stp->ls_ownerlen = i;
@@ -3391,6 +3409,10 @@ nfsrvd_releaselckown(struct nfsrv_descri
 	}
 	NFSM_DISSECT(tl, u_int32_t *, 3 * NFSX_UNSIGNED);
 	len = fxdr_unsigned(int, *(tl + 2));
+	if (len <= 0 || len > NFSV4_OPAQUELIMIT) {
+		nd->nd_repstat = NFSERR_BADXDR;
+		return (0);
+	}
 	MALLOC(stp, struct nfsstate *, sizeof (struct nfsstate) + len,
 	    M_NFSDSTATE, M_WAITOK);
 	stp->ls_ownerlen = len;