git: 5b76a6b862ad - stable/13 - nfsd: Sanity check the len argument for ListXattr

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Sat, 11 Dec 2021 02:29:51 UTC

The branch stable/13 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=5b76a6b862ad5ea35c3f9a4572b6388acdfd3de7

commit 5b76a6b862ad5ea35c3f9a4572b6388acdfd3de7
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2021-11-26 23:56:29 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2021-12-11 02:26:22 +0000

    nfsd: Sanity check the len argument for ListXattr
    
    The check for the original len being >= retlen needs to
    be done before the "if (nd->nd_repstat == 0)" code, so
    that it can be reported as too small.
    
    PR:     260046
    
    (cherry picked from commit 5b430a132330bd4a4ea37780807947f3800d009e)
---
 sys/fs/nfsserver/nfs_nfsdserv.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c
index 4ca49f75fc2c..517741a45288 100644
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@@ -5990,10 +5990,12 @@ nfsrvd_listxattr(struct nfsrv_descript *nd, __unused int isdgram,
 		if (cookie2 < cookie)
 			nd->nd_repstat = NFSERR_BADXDR;
 	}
+	retlen = NFSX_HYPER + 2 * NFSX_UNSIGNED;
+	if (nd->nd_repstat == 0 && len2 < retlen)
+		nd->nd_repstat = NFSERR_TOOSMALL;
 	if (nd->nd_repstat == 0) {
 		/* Now copy the entries out. */
-		retlen = NFSX_HYPER + 2 * NFSX_UNSIGNED;
-		if (len == 0 && retlen <= len2) {
+		if (len == 0) {
 			/* The cookie was at eof. */
 			NFSM_BUILD(tl, uint32_t *, NFSX_HYPER + 2 *
 			    NFSX_UNSIGNED);