Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 31 Oct 2025 01:06:06 GMT
From:      Rick Macklem <rmacklem@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: c02fa3f085c6 - stable/15 - nfs_clrpcops.c: NFSM_DISSECT() reply for each dir separately
Message-ID:  <202510310106.59V166M0022328@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/15 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=c02fa3f085c6da65dea981e3ac8adcc76470946f

commit c02fa3f085c6da65dea981e3ac8adcc76470946f
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-28 21:31:30 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-31 01:03:09 +0000

    nfs_clrpcops.c: NFSM_DISSECT() reply for each dir separately
    
    Without this patch, the entire reply for all directories in
    the NFSv4 mount path are parsed at once.  This could cause
    problems for mount paths with many directories in the path.
    
    This patch fixes the problem by parsing each directory
    reply in a loop.
    
    Spotted while fixing other cases that could do large
    NFSM_DISSECT() sizes.
    
    (cherry picked from commit 9d13c87afdb35c0014aa6f43c5652e946c18b756)
---
 sys/fs/nfsclient/nfs_clrpcops.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index ec0d3713dc9f..544b1962de26 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -5281,7 +5281,7 @@ nfsrpc_getdirpath(struct nfsmount *nmp, u_char *dirpath, struct ucred *cred,
 	struct nfsrv_descript nfsd;
 	struct nfsrv_descript *nd = &nfsd;
 	u_char *cp, *cp2, *fhp;
-	int error, cnt, len, setnil;
+	int error, cnt, i, len, setnil;
 	u_int32_t *opcntp;
 
 	nfscl_reqstart(nd, NFSPROC_PUTROOTFH, nmp, NULL, 0, &opcntp, NULL, 0,
@@ -5322,8 +5322,12 @@ nfsrpc_getdirpath(struct nfsmount *nmp, u_char *dirpath, struct ucred *cred,
 	if (error)
 		return (error);
 	if (nd->nd_repstat == 0) {
-		NFSM_DISSECT(tl, u_int32_t *, (3 + 2 * cnt) * NFSX_UNSIGNED);
-		tl += (2 + 2 * cnt);
+		NFSM_DISSECT(tl, uint32_t *, 3 * NFSX_UNSIGNED);
+		tl += 2;
+		for (i = 0; i < cnt; i++) {
+			NFSM_DISSECT(tl, uint32_t *, 2 * NFSX_UNSIGNED);
+			tl++;
+		}
 		if ((len = fxdr_unsigned(int, *tl)) <= 0 ||
 			len > NFSX_FHMAX) {
 			nd->nd_repstat = NFSERR_BADXDR;
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510310106.59V166M0022328>