From nobody Mon Nov 03 20:29:42 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d0jqp4jpbz6FjHS;
	Mon, 03 Nov 2025 20:29:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4d0jqp301Pz3KFC;
	Mon, 03 Nov 2025 20:29:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1762201782;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=VyNiXWvl2dgbnUsaf+yyhDIP0oGBI5yMyRmUwM/Gw/Y=;
	b=qk2svaaHqv2gWQU574Zt+Xg9Mnv5OlzkV4JzyNQFi470gv6mk64BEkIvNbExbSVpOwicpG
	NQB2uGyxNwF9KkjlkZvwgJZbQRLYaJ+/HoxSk5sOk6Shjc0IJWmmpyVXy0FVlEqUt/0yQ6
	olgXvk1dG60MHo4JbsgkSZJ2FXKMnWOABxePp9rn4ApPTk15JBNCkJYDaZluICt+0G3Dv+
	Vrrg4w9+ud+vRp3bZi5OqaqokpKMzqnRXo5HNBaxebE0zswTd0QNlwr2rlxD03mAUDu3Ap
	mZTiw3ggKbnWoPoKfyBuzs0wPBwwzTua/zJAbSOyMuYJ9zsOMXMoxGHsaMQNmw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1762201782;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=VyNiXWvl2dgbnUsaf+yyhDIP0oGBI5yMyRmUwM/Gw/Y=;
	b=WDwGpBcVLJ+aSxr7PWDPBqNU8OZplfJtSRFEVYJVECIw/+gyIRGKIVMzDn2AHKeZ+5NlKP
	eRCsshb69K6bgEUiwUUN7d0WThheMT3gK/89FmZFMyWdxF5ckHb+UIryVvh22CxxIoVETp
	ngEAkXGR93Gul531xqC+ij0sjAXV0O2bRvHeTShgncerR7AM9JWxrZXNe0IDVxnIMwOvmE
	tOfxpASFe0kl1QBhCZtOGU9PsKODCIIqa1hS16R0SMgA3nHc2CZP7gNdJrZR5uOOxEx82f
	WFOJJxPXGwqGBizAfGAJGKUYPwl9tNeq/SJDfX3OZbTl/I+GwPcjG+DM/GZs/A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1762201782; a=rsa-sha256; cv=none;
	b=llx6DSkT2j8Xk/Tpk3QTAeqt5/sSw1rXYXBjiQATRY1Gf7PSTJ+Vd5tUsiAeNQUTrTByXV
	mgHq/LjGX4xayXQMgW9ReUs6Nv6POzHYIiobVO/4z3pB97hIY+QmcgIsbf340Dqhrfh/1i
	j/TRVIQmA4X/6xsmHOw+iQ3GmLJHvW0ZOMdWJDkKWojS2uVU4Vo3xEz8VpzTRYBBUXDjF2
	80QoyZ3a/fhigDsPvCPTpCAF/T8bQJNNNW6R5nYFipX9XOj8uGXFrOGTvpNkv1qbHTY4qh
	g7e/kN02qP4xLi9YUqN+4eLwRzHTNsEZM7dagB2GmtetUNewLTpk9sCBTMYSWQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d0jqp2GM0zBP6;
	Mon, 03 Nov 2025 20:29:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5A3KTgq0050983;
	Mon, 3 Nov 2025 20:29:42 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5A3KTgIK050980;
	Mon, 3 Nov 2025 20:29:42 GMT
	(envelope-from git)
Date: Mon, 3 Nov 2025 20:29:42 GMT
Message-Id: <202511032029.5A3KTgIK050980@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Colin Percival <cperciva@FreeBSD.org>
Subject: git: 82579ee1f0f8 - releng/15.0 - nfs_clrpcops.c: Fix two
  possible large NFSM_DISSECT()s
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cperciva
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/15.0
X-Git-Reftype: branch
X-Git-Commit: 82579ee1f0f88c8e38f6c9dfe21b52f59b23a769
Auto-Submitted: auto-generated

The branch releng/15.0 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=82579ee1f0f88c8e38f6c9dfe21b52f59b23a769

commit 82579ee1f0f88c8e38f6c9dfe21b52f59b23a769
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:43:02 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-11-03 20:28:49 +0000

    nfs_clrpcops.c: Fix two possible large NFSM_DISSECT()s
    
    There are two cases in nfs_clrpcops.c where it was possible
    for the code to attempt to NFSM_DISSECT() a large size,
    which is not allowed by nfsm_dissct().
    
    This patch fixes them.
    
    Reducing the maximum stripecnt should be no problem,
    since there in no extant NFSv4.n server that does striped
    File Layout pNFS and current development is centered
    around the Flex File layout.
    
    Approved by:    re (cperciva)
    
    (cherry picked from commit b9e6206f593385c80436d267ab759319c1e94e43)
    (cherry picked from commit 609c4eb70afeb713ab38efcb34c55cfa71a5838a)
---
 sys/fs/nfsclient/nfs_clrpcops.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index efc0c31fc589..06e9d9f87628 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -5804,7 +5804,8 @@ nfsrpc_getdeviceinfo(struct nfsmount *nmp, uint8_t *deviceid, int layouttype,
 			NFSM_DISSECT(tl, uint32_t *, NFSX_UNSIGNED);
 			stripecnt = fxdr_unsigned(int, *tl);
 			NFSCL_DEBUG(4, "stripecnt=%d\n", stripecnt);
-			if (stripecnt < 1 || stripecnt > 4096) {
+			if (stripecnt >= MHLEN / NFSX_UNSIGNED ||
+			    stripecnt < 1) {
 				printf("pNFS File layout devinfo stripecnt %d:"
 				    " out of range\n", stripecnt);
 				error = NFSERR_BADXDR;
@@ -8250,7 +8251,7 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp,
     NFSPROC_T *p)
 {
 	uint32_t *tl;
-	char *cp, *str, str0[NFSV4_SMALLSTR + 1];
+	char *str, str0[NFSV4_SMALLSTR + 1];
 	uint32_t len = 0;
 	int error = 0;
 
@@ -8273,9 +8274,9 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp,
 		str = malloc(len + 1, M_TEMP, M_WAITOK);
 	else
 		str = str0;
-	NFSM_DISSECT(cp, char *, NFSM_RNDUP(len));
-	NFSBCOPY(cp, str, len);
-	str[len] = '\0';
+	error = nfsrv_mtostr(nd, str, len);
+	if (error != 0)
+		goto nfsmout;
 	NFSCL_DEBUG(4, "nfsrv_parseug: str=%s\n", str);
 	if (dogrp != 0)
 		error = nfsv4_strtogid(nd, str, len, gidp);