git: e5fc5bc53fb8 - releng/15.0 - nfs_commonsubs.c: Add a sanity check for nid_ngroup
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 03 Nov 2025 20:29:44 UTC
The branch releng/15.0 has been updated by cperciva:
URL: https://cgit.FreeBSD.org/src/commit/?id=e5fc5bc53fb83caea92ec9856aa4638ce7a97b46
commit e5fc5bc53fb83caea92ec9856aa4638ce7a97b46
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-28 14:44:14 +0000
Commit: Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-11-03 20:28:56 +0000
nfs_commonsubs.c: Add a sanity check for nid_ngroup
The nfsuserd(8) daemon passes user credentials
(uid + gids) into the kernel for users and groups
identified by name (received from a NFSv4 server).
This patch add a sanity check for the number of
groups (nid_ngroup) passed in.
It's only purpose is to protect against a bogus
nfsuserd(8) running in a jail.
Approved by: re (cperciva)
(cherry picked from commit 4672adcea4cf3c0c626d186f1f41c69552d915f1)
(cherry picked from commit 83a0732a4cfe9f2846e144b39ebe517cbe395fac)
---
sys/fs/nfs/nfs_commonsubs.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
index 7f5b29ca2085..dd3b8b4f1708 100644
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@@ -4165,10 +4165,15 @@ nfssvc_idname(struct nfsd_idargs *nidp)
nidp->nid_namelen);
if (error == 0 && nidp->nid_ngroup > 0 &&
(nidp->nid_flag & NFSID_ADDUID) != 0) {
- grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
- M_WAITOK);
- error = copyin(nidp->nid_grps, grps,
- sizeof(gid_t) * nidp->nid_ngroup);
+ grps = NULL;
+ if (nidp->nid_ngroup > NGROUPS_MAX)
+ error = EINVAL;
+ if (error == 0) {
+ grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
+ M_WAITOK);
+ error = copyin(nidp->nid_grps, grps,
+ sizeof(gid_t) * nidp->nid_ngroup);
+ }
if (error == 0) {
/*
* Create a credential just like svc_getcred(),