Date: Wed, 1 Dec 2021 21:58:45 GMT From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: fd020f197d6a - main - nfsd: Sanity check the ACL attribute Message-ID: <202112012158.1B1LwjFV000927@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=fd020f197d6ac481d36171ea69fe555eb911d673 commit fd020f197d6ac481d36171ea69fe555eb911d673 Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2021-12-01 21:55:17 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2021-12-01 21:55:17 +0000 nfsd: Sanity check the ACL attribute When an ACL is presented to the NFSv4 server in Setattr or Verify, parsing of the ACL assumed a sane acecnt and sane sizes for the "who" strings. This patch adds sanity checks for these. The patch also fixes handling of an error return from nfsrv_dissectacl() for one broken case. Reported by: rtm@lcs.mit.edu Tested by: rtm@lcs.mit.edu PR: 260111 MFC after: 2 weeks --- sys/fs/nfs/nfs_commonacl.c | 6 +++++- sys/fs/nfs/nfs_commonsubs.c | 10 ++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/sys/fs/nfs/nfs_commonacl.c b/sys/fs/nfs/nfs_commonacl.c index 99a67edc044d..19492675e731 100644 --- a/sys/fs/nfs/nfs_commonacl.c +++ b/sys/fs/nfs/nfs_commonacl.c @@ -58,7 +58,11 @@ nfsrv_dissectace(struct nfsrv_descript *nd, struct acl_entry *acep, flag = fxdr_unsigned(u_int32_t, *tl++); mask = fxdr_unsigned(u_int32_t, *tl++); len = fxdr_unsigned(int, *tl); - if (len < 0) { + /* + * The RFCs do not specify a limit to the length of the "who", but + * NFSV4_OPAQUELIMIT (1024) should be sufficient. + */ + if (len < 0 || len > NFSV4_OPAQUELIMIT) { error = NFSERR_BADXDR; goto nfsmout; } else if (len == 0) { diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c index 910f10eb1b4a..d882d248ef7f 100644 --- a/sys/fs/nfs/nfs_commonsubs.c +++ b/sys/fs/nfs/nfs_commonsubs.c @@ -1107,6 +1107,14 @@ nfsrv_dissectacl(struct nfsrv_descript *nd, NFSACL_T *aclp, int *aclerrp, NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED); aclsize = NFSX_UNSIGNED; acecnt = fxdr_unsigned(int, *tl); + /* + * The RFCs do not define a fixed limit to the number of ACEs in + * an ACL, but 10240 should be more than sufficient. + */ + if (acecnt < 0 || acecnt > 10240) { + error = NFSERR_BADXDR; + goto nfsmout; + } if (acecnt > ACL_MAX_ENTRIES) aceerr = NFSERR_ATTRNOTSUPP; if (nfsrv_useacl == 0) @@ -1492,6 +1500,8 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp, } else { error = nfsrv_dissectacl(nd, NULL, &aceerr, &cnt, p); + if (error) + goto nfsmout; *retcmpp = NFSERR_ATTRNOTSUPP; } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202112012158.1B1LwjFV000927>