git: 7c9d801ed278 - stable/14 - nfs_nfsdserv.c: Add a sanity check for layout commit cnt
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 30 Oct 2025 01:21:32 UTC
The branch stable/14 has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=7c9d801ed27885af0f96b89b8b44480ee9808ea5
commit 7c9d801ed27885af0f96b89b8b44480ee9808ea5
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:24:47 +0000
Commit: Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-30 01:18:41 +0000
nfs_nfsdserv.c: Add a sanity check for layout commit cnt
If a client were to send a LayoutCommit (seldom
used and only for a pNFS server) with a bogus
cnt, there could be problems with a malloc() call
that uses it.
This patch adds a sanity check for the cnt. Note
that RFC8881 does not specify any upper bound
on the cnt.
(cherry picked from commit 1a679fb907962843f01b103ec672136a8f8d8edb)
---
sys/fs/nfsserver/nfs_nfsdserv.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c
index 88ae643d193e..6047e6f2970e 100644
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@@ -4950,6 +4950,11 @@ nfsrvd_layoutcommit(struct nfsrv_descript *nd, __unused int isdgram,
NFSM_DISSECT(tl, uint32_t *, 2 * NFSX_UNSIGNED);
layouttype = fxdr_unsigned(int, *tl++);
maxcnt = fxdr_unsigned(int, *tl);
+ /* There is no limit in the RFC, so use 1000 as a sanity limit. */
+ if (maxcnt < 0 || maxcnt > 1000) {
+ error = NFSERR_BADXDR;
+ goto nfsmout;
+ }
if (maxcnt > 0) {
layp = malloc(maxcnt + 1, M_TEMP, M_WAITOK);
error = nfsrv_mtostr(nd, layp, maxcnt);