git: 1a679fb90796 - main - nfs_nfsdserv.c: Add a sanity check for layout commit cnt
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 27 Oct 2025 14:27:55 UTC
The branch main has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=1a679fb907962843f01b103ec672136a8f8d8edb
commit 1a679fb907962843f01b103ec672136a8f8d8edb
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:24:47 +0000
Commit: Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-27 14:24:47 +0000
nfs_nfsdserv.c: Add a sanity check for layout commit cnt
If a client were to send a LayoutCommit (seldom
used and only for a pNFS server) with a bogus
cnt, there could be problems with a malloc() call
that uses it.
This patch adds a sanity check for the cnt. Note
that RFC8881 does not specify any upper bound
on the cnt.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53354
---
sys/fs/nfsserver/nfs_nfsdserv.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c
index 6f3447f26620..67af0cf71175 100644
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@@ -5138,6 +5138,11 @@ nfsrvd_layoutcommit(struct nfsrv_descript *nd, __unused int isdgram,
NFSM_DISSECT(tl, uint32_t *, 2 * NFSX_UNSIGNED);
layouttype = fxdr_unsigned(int, *tl++);
maxcnt = fxdr_unsigned(int, *tl);
+ /* There is no limit in the RFC, so use 1000 as a sanity limit. */
+ if (maxcnt < 0 || maxcnt > 1000) {
+ error = NFSERR_BADXDR;
+ goto nfsmout;
+ }
if (maxcnt > 0) {
layp = malloc(maxcnt + 1, M_TEMP, M_WAITOK);
error = nfsrv_mtostr(nd, layp, maxcnt);