Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 Oct 2025 14:47:29 GMT
From:      Rick Macklem <rmacklem@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 4672adcea4cf - main - nfs_commonsubs.c: Add a sanity check for nid_ngroup
Message-ID:  <202510281447.59SElTcu023103@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=4672adcea4cf3c0c626d186f1f41c69552d915f1

commit 4672adcea4cf3c0c626d186f1f41c69552d915f1
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-28 14:44:14 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-28 14:44:14 +0000

    nfs_commonsubs.c: Add a sanity check for nid_ngroup
    
    The nfsuserd(8) daemon passes user credentials
    (uid + gids) into the kernel for users and groups
    identified by name (received from a NFSv4 server).
    
    This patch add a sanity check for the number of
    groups (nid_ngroup) passed in.
    
    It's only purpose is to protect against a bogus
    nfsuserd(8) running in a jail.
    
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:    markj
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D53389
---
 sys/fs/nfs/nfs_commonsubs.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
index 8d506a5643a9..8e1a26eef354 100644
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@@ -4192,10 +4192,15 @@ nfssvc_idname(struct nfsd_idargs *nidp)
 	    nidp->nid_namelen);
 	if (error == 0 && nidp->nid_ngroup > 0 &&
 	    (nidp->nid_flag & NFSID_ADDUID) != 0) {
-		grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
-		    M_WAITOK);
-		error = copyin(nidp->nid_grps, grps,
-		    sizeof(gid_t) * nidp->nid_ngroup);
+		grps = NULL;
+		if (nidp->nid_ngroup > NGROUPS_MAX)
+			error = EINVAL;
+		if (error == 0) {
+			grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
+			    M_WAITOK);
+			error = copyin(nidp->nid_grps, grps,
+			    sizeof(gid_t) * nidp->nid_ngroup);
+		}
 		if (error == 0) {
 			/*
 			 * Create a credential just like svc_getcred(),
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510281447.59SElTcu023103>