git: 2c82cdd2e29f - main - nfs_clrpcops.c: Check for too large a write reply

The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=2c82cdd2e29f8ba00d4289f36f8baa1598a1ad9b

commit 2c82cdd2e29f8ba00d4289f36f8baa1598a1ad9b
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:49:32 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-27 14:49:32 +0000

    nfs_clrpcops.c: Check for too large a write reply
    
    The "rlen" reply length for a Write operation/RPC
    could cause trouble if a broken server replies with
    too large a value.
    
    Improve the sanity check for "rlen" to avoid this.
    
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:    emaste, markj
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D53368
---
 sys/fs/nfsclient/nfs_clrpcops.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index c8a130c34412..983eb8b9226f 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -2212,7 +2212,7 @@ nfsrpc_writerpc(vnode_t vp, struct uio *uiop, int *iomode,
 				NFSM_DISSECT(tl, u_int32_t *, 2 * NFSX_UNSIGNED
 					+ NFSX_VERF);
 				rlen = fxdr_unsigned(int, *tl++);
-				if (rlen == 0) {
+				if (rlen <= 0 || rlen > len) {
 					error = NFSERR_IO;
 					goto nfsmout;
 				} else if (rlen < len) {
@@ -7257,7 +7257,7 @@ nfsrpc_writeds(vnode_t vp, struct uio *uiop, int *iomode, int *must_commit,
 		NFSM_DISSECT(tl, uint32_t *, 2 * NFSX_UNSIGNED + NFSX_VERF);
 		rlen = fxdr_unsigned(int, *tl++);
 		NFSCL_DEBUG(4, "nfsrpc_writeds: len=%d rlen=%d\n", len, rlen);
-		if (rlen == 0) {
+		if (rlen <= 0 || rlen > len) {
 			error = NFSERR_IO;
 			goto nfsmout;
 		} else if (rlen < len) {