git: 055b230b85cd - stable/12 - nfscl: Sanity check the callback tag length

From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Thu, 23 Dec 2021 01:45:33 UTC
The branch stable/12 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=055b230b85cde066eeedd1417e336d2acf6281b9

commit 055b230b85cde066eeedd1417e336d2acf6281b9
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2021-12-09 22:15:48 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2021-12-23 01:42:24 +0000

    nfscl: Sanity check the callback tag length
    
    The sanity check for tag length in a callback request
    was broken in two ways:
    
    It checked for a negative value, but not a large positive
    value.
    
    It did not set taglen to -1, to indicate to the code that
    it should not be used.
    
    This patch fixes both of these issues.
    
    PR:     260266
    
    (cherry picked from commit d9931c25617d6625e280fda19bd9c2878e49c091)
---
 sys/fs/nfsclient/nfs_clstate.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/fs/nfsclient/nfs_clstate.c b/sys/fs/nfsclient/nfs_clstate.c
index c7b9608da1ba..68e4d3f009bd 100644
--- a/sys/fs/nfsclient/nfs_clstate.c
+++ b/sys/fs/nfsclient/nfs_clstate.c
@@ -3422,8 +3422,9 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p)
 	nfsrvd_rephead(nd);
 	NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
 	taglen = fxdr_unsigned(int, *tl);
-	if (taglen < 0) {
+	if (taglen < 0 || taglen > NFSV4_OPAQUELIMIT) {
 		error = EBADRPC;
+		taglen = -1;
 		goto nfsmout;
 	}
 	if (taglen <= NFSV4_SMALLSTR)