From nobody Thu Mar 26 01:13:36 2026
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fh5Pr4gZTz6X47Q
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Thu, 26 Mar 2026 01:13:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4fh5Pr0rs3z3JMs
	for <dev-commits-src-main@FreeBSD.org>; Thu, 26 Mar 2026 01:13:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1774487616;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=UzsljwCK02DNufcQQcXuJFdrxmXqjTpAohWUPHLTOkM=;
	b=tlsH+7h3Z2u9n+jt4ixW4n5hTQoKdEy6e2fUs1bd3UX6mrdrRzQgY5RpQoMA1JgMtd9UXZ
	M3f50LenZji91uL4LLCoPgpoWBO2j/CqvqQxC11Y8zmlAc3rLf8Ku9l3IP0BpqgnTfkfnz
	Fmx3v9s8sqszOW4prd4TN4Jsy7ho5hohO8BHdj4DVkFEGc2xJ5WVJOfldMwJ7dvSLtzHSn
	Fm+2AS1H6DvvNrcx0zMR7SRpAYIJ3QyVq1+kNfKQE2uobgy+sSST6j6HE5U4haN+8gHJg6
	LLRgz7nbOME4xJptIWm+GaIkN5p81og1SO55tdzD/rlTlgiIiQKwwpVKMORMAg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774487616; a=rsa-sha256; cv=none;
	b=f0jGe77//NLinbBDZv0pRuBbRxRioIJlRtMjUVNRtAxqdxh5RIaqwjvWsxWkSFY3dFOwk0
	LPFV7i41IKam20aMQukkShae0jIn4CF/v9lUSRmePjc8G/ALcgStZ+cE7AOMnmA6wh4Up2
	GncJgUhmRgcEI+R3f02+v3Ro9B7vGtNHPRBOoKPCMFxce06IcWKtD+wgkk3hWKzB3cqbtd
	IPLtihl+2HZlLoWYAz7BHaAdBhoHjdFU7hig1ar00Cf0FL27Sxc+ZnedsWkdnP4flPYDrP
	wgvADi7FPy0q1H8j4yHTeLiAROeEMiVfqu/5yN8Z5lgxYAMnluEaoEoMln0R+A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1774487616;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=UzsljwCK02DNufcQQcXuJFdrxmXqjTpAohWUPHLTOkM=;
	b=Qjwh7nOzIKz9lQfA4TJv/nl592SIZaoh0tLe9W9rK8NyP5sxAPeM4L+GnvdldEI0ZtS8oS
	HBIu1vfXAZScnUdwwpidSCvnH6rejmPx77g5IEivRxlWgGnsRgkRCjocouGnaB47a2lWXT
	bnhE77BjglbqrtTalmjAitczKRzqXC7jegYHtNI6RAQTjPflU+khSRFJv8JBNTW8OzAJ7j
	uEw12aChnrGVTaOe/XHErbQ6slEDqhsafJT9H0an7PyCg2RFATqWSlCtSXnmA4Z6D7pht8
	CtFTHtOZj3bsz8Xkd91G1X3jNVkXTGqj/K32akA3JQqYcmfMErEI3MPuOL8cmw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fh5Pr0NrzzTvP
	for <dev-commits-src-main@FreeBSD.org>; Thu, 26 Mar 2026 01:13:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 196b8
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Thu, 26 Mar 2026 01:13:36 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Cc: Mark Johnston <markj@FreeBSD.org>
From: Gordon Tetlow <gordon@FreeBSD.org>
Subject: git: 143293c14f8d - main - rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: gordon
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 143293c14f8de00c6d3de88cd23fc224e7014206
Auto-Submitted: auto-generated
Date: Thu, 26 Mar 2026 01:13:36 +0000
Message-Id: <69c48840.196b8.4cad278a@gitrepo.freebsd.org>

The branch main has been updated by gordon:

URL: https://cgit.FreeBSD.org/src/commit/?id=143293c14f8de00c6d3de88cd23fc224e7014206

commit 143293c14f8de00c6d3de88cd23fc224e7014206
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-03-24 02:12:42 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2026-03-26 01:11:54 +0000

    rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
    
    svc_rpc_gss_validate() copies the input message into a stack buffer
    without ensuring that the buffer is large enough.  Sure enough,
    oa_length may be up to 400 bytes, much larger than the provided space.
    This enables an unauthenticated user to trigger an overflow and obtain
    remote code execution.
    
    Add a runtime check which verifies that the copy won't overflow.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:08.rpcsec_gss
    Security:       CVE-2026-4747
    Reported by:    Nicholas Carlini <npc@anthropic.com>
    Reviewed by:    rmacklem
    Fixes:          a9148abd9da5d
---
 lib/librpcsec_gss/svc_rpcsec_gss.c  |  9 ++++++++-
 sys/rpc/rpcsec_gss/svc_rpcsec_gss.c | 10 +++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c
index e9d39a813f86..73b92371e6d0 100644
--- a/lib/librpcsec_gss/svc_rpcsec_gss.c
+++ b/lib/librpcsec_gss/svc_rpcsec_gss.c
@@ -758,6 +758,14 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
 	
 	memset(rpchdr, 0, sizeof(rpchdr));
 
+	oa = &msg->rm_call.cb_cred;
+
+	if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {
+		log_debug("auth length %d exceeds maximum", oa->oa_length);
+		client->cl_state = CLIENT_STALE;
+		return (FALSE);
+	}
+
 	/* Reconstruct RPC header for signing (from xdr_callmsg). */
 	buf = rpchdr;
 	IXDR_PUT_LONG(buf, msg->rm_xid);
@@ -766,7 +774,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
-	oa = &msg->rm_call.cb_cred;
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
 	if (oa->oa_length) {
diff --git a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
index 35c904560836..528112d5642a 100644
--- a/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
+++ b/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
@@ -1170,6 +1170,15 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
 	
 	memset(rpchdr, 0, sizeof(rpchdr));
 
+	oa = &msg->rm_call.cb_cred;
+
+	if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {
+		rpc_gss_log_debug("auth length %d exceeds maximum",
+		    oa->oa_length);
+		client->cl_state = CLIENT_STALE;
+		return (FALSE);
+	}
+
 	/* Reconstruct RPC header for signing (from xdr_callmsg). */
 	buf = rpchdr;
 	IXDR_PUT_LONG(buf, msg->rm_xid);
@@ -1178,7 +1187,6 @@ svc_rpc_gss_validate(struct svc_rpc_gss_client *client, struct rpc_msg *msg,
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
-	oa = &msg->rm_call.cb_cred;
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
 	if (oa->oa_length) {