Date: Thu, 9 Dec 2021 22:19:11 GMT From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: d9931c25617d - main - nfscl: Sanity check the callback tag length Message-ID: <202112092219.1B9MJBIx014210@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=d9931c25617d6625e280fda19bd9c2878e49c091 commit d9931c25617d6625e280fda19bd9c2878e49c091 Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2021-12-09 22:15:48 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2021-12-09 22:15:48 +0000 nfscl: Sanity check the callback tag length The sanity check for tag length in a callback request was broken in two ways: It checked for a negative value, but not a large positive value. It did not set taglen to -1, to indicate to the code that it should not be used. This patch fixes both of these issues. Reported by: rtm@lcs.mit.edu Tested by: rtm@lcs.mit.edu PR: 260266 MFC after: 2 weeks --- sys/fs/nfsclient/nfs_clstate.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/fs/nfsclient/nfs_clstate.c b/sys/fs/nfsclient/nfs_clstate.c index 082469aef1bc..ead90fd49c14 100644 --- a/sys/fs/nfsclient/nfs_clstate.c +++ b/sys/fs/nfsclient/nfs_clstate.c @@ -3531,8 +3531,9 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p) nfsrvd_rephead(nd); NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED); taglen = fxdr_unsigned(int, *tl); - if (taglen < 0) { + if (taglen < 0 || taglen > NFSV4_OPAQUELIMIT) { error = EBADRPC; + taglen = -1; goto nfsmout; } if (taglen <= NFSV4_SMALLSTR)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202112092219.1B9MJBIx014210>