From nobody Mon Nov 03 20:29:41 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d0jqn3wKlz6Fj45;
	Mon, 03 Nov 2025 20:29:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4d0jqn23X2z3KF0;
	Mon, 03 Nov 2025 20:29:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1762201781;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ld2jpE9uRokXD1ca/x9vGMx+heJxTo8nwJxnfLRvVnE=;
	b=HtRJDS+Lv/vF+d+NXzPb7goABXnIXa6mX5gBxX+wjRcdY6XAmJYVNF0ygkiQoV3W6IjB9I
	ZaBDFIwq2NGtym29xBtPEqhbFU6x8ROffWL7ehZbpjXjTD+bPKiQme2P21mlY6jNHWFPlI
	Md4L6YloHnDD/Cw3o/7CXbtVTbVBo1dHz+oDZOcReC48Jp6UMM/oaAFMdUaNBy5wYwAR0t
	aUe4Y0ANW/aclSh/tza6cyJ3xFCqzKokeJiDxfHybrjfUUhYznAzc/LWyWvgc+Je/RCjES
	OXPwIcUexraT0U012gOxcAPVBigygGJRJaazlVsYCZAlfW6jP43wEQ9M6wrJ6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1762201781;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ld2jpE9uRokXD1ca/x9vGMx+heJxTo8nwJxnfLRvVnE=;
	b=cet0I3tLCvHWFb3JFTaT9q/qLUKyDJJUZUshXxIg0K4091oVYKbNvtNG3puzStZORFmpg3
	NoJp6YkE3RhiwO63mpqlY2oehRxSgWAbY6Tfr46pY/9yv/PFpXqMeJt9rvNVsVKpS1tObT
	yDjVCGMq9CUZ0rCuzPxMQknbwYVioEj+jOy2zSlpLcd06Jeih4t+/LW2OutEKZJY57KEud
	eBypcU4IA5hnPHfkRQTR2xg6Nx7RXSxO9imcrHZYTtXTHmwrTnW7fiGXb4J+LGVnDo0gU+
	FhNbqgO0/kRtITvy/wN02uZp0NeU5g7N6kRPL/dToAod0g0XUC2EFJGvVKEhcw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1762201781; a=rsa-sha256; cv=none;
	b=WN4OQh8U5nVLFQUfbEtOgFgBafEf8PXPwdqizaSCVNWO8qQXWv2YiV/oIUtvHgB6lj/6x7
	27jhjrIA2yn8V5OD2VFBGkcMpIApW5IC92aBlFUJ8CyXO64vEp6iJuxAyzuMql9oNk9zH2
	D0kIP4PFREcMxoyoptTQO3DfYM7RXGVZwj1nhjBq7B7ZJd3hLi2SSGWyJhwDzK06rHaUcJ
	HsIK2nI1Y11Ib256fz+9fAOgS5YIlYNBHCq3644Ir/7PVKRSJ7VhGs5bdGTHiYRCMg17fj
	gBwbv8YT9FwcDFNkmiEixPBndOiSXYooJJUAjvYWU8PKrkwP9zleoHxJx+aCew==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d0jqn1c52z9x1;
	Mon, 03 Nov 2025 20:29:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5A3KTfQW050949;
	Mon, 3 Nov 2025 20:29:41 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5A3KTfNq050946;
	Mon, 3 Nov 2025 20:29:41 GMT
	(envelope-from git)
Date: Mon, 3 Nov 2025 20:29:41 GMT
Message-Id: <202511032029.5A3KTfNq050946@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Colin Percival <cperciva@FreeBSD.org>
Subject: git: 9c47506fc77b - releng/15.0 - nfs_clrpcops.c: Add
  sanity checks for the slot cnts
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cperciva
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/15.0
X-Git-Reftype: branch
X-Git-Commit: 9c47506fc77b38963d4b3ebe16112cc0fa6f5437
Auto-Submitted: auto-generated

The branch releng/15.0 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=9c47506fc77b38963d4b3ebe16112cc0fa6f5437

commit 9c47506fc77b38963d4b3ebe16112cc0fa6f5437
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:35:27 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-11-03 20:28:45 +0000

    nfs_clrpcops.c: Add sanity checks for the slot cnts
    
    The reply to CreateSession includes the slot cnt for
    both fore and back slots. It should never be larger
    than the argument specified and the fore slot cnt
    should always be at least 1.
    
    Without this patch, the replied slot cnts were not
    being sanity checked.
    
    While here, replace 64 with NFSV4_SLOTS (which is 64).
    
    Approved by:    re (cperciva)
    
    (cherry picked from commit 3053b2a3dcab6e05311c3b696bee4c9e5698d93a)
    (cherry picked from commit 14148591b951e60093afca50fe2497f21ee91950)
---
 sys/fs/nfsclient/nfs_clrpcops.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index 4ec621de2eff..efc0c31fc589 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -5596,7 +5596,7 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep,
 	}
 	*tl++ = txdr_unsigned(4096);		/* Max response size cached */
 	*tl++ = txdr_unsigned(20);		/* Max operations */
-	*tl++ = txdr_unsigned(64);		/* Max slots */
+	*tl++ = txdr_unsigned(NFSV4_SLOTS);	/* Max slots */
 	*tl = 0;				/* No rdma ird */
 
 	/* Fill in back channel attributes. */
@@ -5665,6 +5665,11 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep,
 		sep->nfsess_maxcache = fxdr_unsigned(int, *tl++);
 		tl++;
 		sep->nfsess_foreslots = fxdr_unsigned(uint16_t, *tl++);
+		if (sep->nfsess_foreslots == 0) {
+			error = NFSERR_BADXDR;
+			goto nfsmout;
+		} else if (sep->nfsess_foreslots > NFSV4_SLOTS)
+			sep->nfsess_foreslots = NFSV4_SLOTS;
 		NFSCL_DEBUG(4, "fore slots=%d\n", (int)sep->nfsess_foreslots);
 		irdcnt = fxdr_unsigned(int, *tl);
 		if (irdcnt < 0 || irdcnt > 1) {
@@ -5678,6 +5683,8 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep,
 		NFSM_DISSECT(tl, uint32_t *, 7 * NFSX_UNSIGNED);
 		tl += 5;
 		sep->nfsess_backslots = fxdr_unsigned(uint16_t, *tl);
+		if (sep->nfsess_backslots > NFSV4_CBSLOTS)
+			sep->nfsess_backslots = NFSV4_CBSLOTS;
 		NFSCL_DEBUG(4, "back slots=%d\n", (int)sep->nfsess_backslots);
 	}
 	error = nd->nd_repstat;