From nobody Mon Oct 27 14:38:18 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cwGMb0HYqz6DlnY;
	Mon, 27 Oct 2025 14:38:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cwGMZ6pm3z3ml6;
	Mon, 27 Oct 2025 14:38:18 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1761575899;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=mLDgECwo5BABkQMz/SxtJ9Yd6kHG1YABfytq1Cz0ieA=;
	b=C9Ssi1L/xBc6v+cWLFpopdF+TVEwSr+J9a7kNivDZmGlVkvPfPQVnX4IuWMq15jCpduMqq
	7iNHXTm+NIigim8KdmZNMLFvzc+fH4rmTZ7kOPQdOJHZGnCyuZxtGYsvnH4BEKViECuDav
	zNfuIQQHOfIC1g3gplO3zDRoSeHPpw4gbJ+JGCwgFDimnebmYudk5CwYSWAG2zy8sEQZR3
	8PB0pE0Wh9gjL/sUTmQMmliRwBxZ7c37AKeu6ROu2+sTnjnnoG+/sVANCvEqh0Kt7d83rA
	tpIcLhTuYmUgOnwIW7syIZBvdAwJ4Ts4YQ+T5R1jYLHUpJ1YeahbGV12JDXZdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1761575899;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=mLDgECwo5BABkQMz/SxtJ9Yd6kHG1YABfytq1Cz0ieA=;
	b=ZHgd5i1NHS7mM3S8kBIqrPI24EPt/3DB4vVceXS9N/NlwWRDcKkmudcfAsn9JvL0aFfLD9
	TjPOt4xLo2MXa0IJa0+ClAde5AXdwEwclk2MKVzHfNvVcKFzeF44aoxanWzVA8Lqjf7JYe
	YJeA6r5SDfpY+pBRPIYrB0i8YkigJF+Sih9pdzvg1lF0bzt/TVBAgXOi89HD6NZWcTXelz
	zY2LImj3k/nHXk+sGOhScs9nFlis9d9Ck3lCUo0dQKnyB6IKBWFSDbjvvtoii6Mc2MOfBh
	E2XbzhLpTWLMOWohoT1Zomqb7lJcfVhpyzejIzEfhtKRLgWZ1kQk/lVb/gaqwA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761575899; a=rsa-sha256; cv=none;
	b=CpRu/134A43AxU3nnS+4xs3C+4I3lhYjeyEdtNLxGepfAphmMFAyFq9t5yZMUJ5sqhJ8RX
	qyztflVYAfr2WLJZlVoFvGfWWmWzgSq1wDaKIZ9Toz41RAVY/BxFkwnocR+67GSVeCfC96
	2j/GfnmKIhMRUtZCUhGUrkrvuOnwf/fiGq2s8G34owqkC7zV/duZZsPTzgQDDGArh8sABi
	Sc8AWiIol6NCaSi84iVwft3ZPa6IjmQknZ/ENJJmJnnfJLYgiGiB2VBWRammOFBH1Dy7Pk
	H539mS+NJhIvENkuZ/8YET6NgGlgIjfdShbIr4Vl58Xxv8Gx0rnOIuGB32wXcg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cwGMZ6CFFz1M7J;
	Mon, 27 Oct 2025 14:38:18 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59REcIle065567;
	Mon, 27 Oct 2025 14:38:18 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59REcIPg065564;
	Mon, 27 Oct 2025 14:38:18 GMT
	(envelope-from git)
Date: Mon, 27 Oct 2025 14:38:18 GMT
Message-Id: <202510271438.59REcIPg065564@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Rick Macklem <rmacklem@FreeBSD.org>
Subject: git: 3053b2a3dcab - main - nfs_clrpcops.c: Add sanity
  checks for the slot cnts
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rmacklem
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 3053b2a3dcab6e05311c3b696bee4c9e5698d93a
Auto-Submitted: auto-generated

The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=3053b2a3dcab6e05311c3b696bee4c9e5698d93a

commit 3053b2a3dcab6e05311c3b696bee4c9e5698d93a
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:35:27 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-27 14:35:27 +0000

    nfs_clrpcops.c: Add sanity checks for the slot cnts
    
    The reply to CreateSession includes the slot cnt for
    both fore and back slots. It should never be larger
    than the argument specified and the fore slot cnt
    should always be at least 1.
    
    Without this patch, the replied slot cnts were not
    being sanity checked.
    
    While here, replace 64 with NFSV4_SLOTS (which is 64).
    
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:    emaste, markj
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D53363
---
 sys/fs/nfsclient/nfs_clrpcops.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index d3b83eb8b94b..d9f27c3f31a2 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -5599,7 +5599,7 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep,
 	}
 	*tl++ = txdr_unsigned(4096);		/* Max response size cached */
 	*tl++ = txdr_unsigned(20);		/* Max operations */
-	*tl++ = txdr_unsigned(64);		/* Max slots */
+	*tl++ = txdr_unsigned(NFSV4_SLOTS);	/* Max slots */
 	*tl = 0;				/* No rdma ird */
 
 	/* Fill in back channel attributes. */
@@ -5668,6 +5668,11 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep,
 		sep->nfsess_maxcache = fxdr_unsigned(int, *tl++);
 		tl++;
 		sep->nfsess_foreslots = fxdr_unsigned(uint16_t, *tl++);
+		if (sep->nfsess_foreslots == 0) {
+			error = NFSERR_BADXDR;
+			goto nfsmout;
+		} else if (sep->nfsess_foreslots > NFSV4_SLOTS)
+			sep->nfsess_foreslots = NFSV4_SLOTS;
 		NFSCL_DEBUG(4, "fore slots=%d\n", (int)sep->nfsess_foreslots);
 		irdcnt = fxdr_unsigned(int, *tl);
 		if (irdcnt < 0 || irdcnt > 1) {
@@ -5681,6 +5686,8 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep,
 		NFSM_DISSECT(tl, uint32_t *, 7 * NFSX_UNSIGNED);
 		tl += 5;
 		sep->nfsess_backslots = fxdr_unsigned(uint16_t, *tl);
+		if (sep->nfsess_backslots > NFSV4_CBSLOTS)
+			sep->nfsess_backslots = NFSV4_CBSLOTS;
 		NFSCL_DEBUG(4, "back slots=%d\n", (int)sep->nfsess_backslots);
 	}
 	error = nd->nd_repstat;