git: 5b430a132330 - main - nfsd: Sanity check the len argument for ListXattr
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 27 Nov 2021 00:00:02 UTC
The branch main has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=5b430a132330bd4a4ea37780807947f3800d009e
commit 5b430a132330bd4a4ea37780807947f3800d009e
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2021-11-26 23:56:29 +0000
Commit: Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2021-11-26 23:56:29 +0000
nfsd: Sanity check the len argument for ListXattr
The check for the original len being >= retlen needs to
be done before the "if (nd->nd_repstat == 0)" code, so
that it can be reported as too small.
Reported by: rtm@lcs.mit.edu
Tested by: rtm@lcs.mit.edu
PR: 260046
MFC after: 2 weeks
---
sys/fs/nfsserver/nfs_nfsdserv.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c
index 80c492251ce8..4c5dade2c278 100644
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@@ -6095,10 +6095,12 @@ nfsrvd_listxattr(struct nfsrv_descript *nd, __unused int isdgram,
if (cookie2 < cookie)
nd->nd_repstat = NFSERR_BADXDR;
}
+ retlen = NFSX_HYPER + 2 * NFSX_UNSIGNED;
+ if (nd->nd_repstat == 0 && len2 < retlen)
+ nd->nd_repstat = NFSERR_TOOSMALL;
if (nd->nd_repstat == 0) {
/* Now copy the entries out. */
- retlen = NFSX_HYPER + 2 * NFSX_UNSIGNED;
- if (len == 0 && retlen <= len2) {
+ if (len == 0) {
/* The cookie was at eof. */
NFSM_BUILD(tl, uint32_t *, NFSX_HYPER + 2 *
NFSX_UNSIGNED);