git: f01978f464ce - stable/13 - nfsd: Add a sanity check for Owner/OwnerGroup string length

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Fri, 20 May 2022 00:36:49 UTC
The branch stable/13 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=f01978f464cea1cffeb1a66a18f92d98380dd7f2

commit f01978f464cea1cffeb1a66a18f92d98380dd7f2
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2022-05-04 20:58:22 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2022-05-20 00:36:22 +0000

    nfsd: Add a sanity check for Owner/OwnerGroup string length
    
    Robert Morris reported that, if a client sends an absurdly
    large Owner/OwnerGroup string, the kernel malloc() for the
    large size string can block forever.
    
    This patch adds a sanity limit for Owner/OwnerGroup string
    length.  Since the RFCs do not specify any limit and FreeBSD
    can handle a group name greater than 1Kbyte, the limit is
    set at a generous 10Kbytes.
    
    PR:     260546
    
    (cherry picked from commit ef4edb70c909fc2b1de867601c2230597d07daa0)
---
 sys/fs/nfs/nfs.h            | 7 +++++++
 sys/fs/nfs/nfs_commonsubs.c | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/sys/fs/nfs/nfs.h b/sys/fs/nfs/nfs.h
index 1a29a7e1d6ec..ffd612331c1f 100644
--- a/sys/fs/nfs/nfs.h
+++ b/sys/fs/nfs/nfs.h
@@ -143,6 +143,13 @@
 
 #define	NFS_READDIRBLKSIZ	DIRBLKSIZ	/* Minimal nm_readdirsize */
 
+/*
+ * The NFSv4 RFCs do not define an upper limit on the length of Owner and
+ * OwnerGroup strings.  Since FreeBSD handles a group name > 1024bytes in
+ * length, set a generous sanity limit of 10Kbytes.
+ */
+#define	NFSV4_MAXOWNERGROUPLEN	(10 * 1024)
+
 /*
  * Oddballs
  */
diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
index 51071a6f03ca..eb6746ec3041 100644
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@@ -1838,7 +1838,7 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp,
 		case NFSATTRBIT_OWNER:
 			NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
 			j = fxdr_unsigned(int, *tl);
-			if (j < 0) {
+			if (j < 0 || j > NFSV4_MAXOWNERGROUPLEN) {
 				error = NFSERR_BADXDR;
 				goto nfsmout;
 			}
@@ -1871,7 +1871,7 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp,
 		case NFSATTRBIT_OWNERGROUP:
 			NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
 			j = fxdr_unsigned(int, *tl);
-			if (j < 0) {
+			if (j < 0 || j > NFSV4_MAXOWNERGROUPLEN) {
 				error =  NFSERR_BADXDR;
 				goto nfsmout;
 			}