git: 5d37e6975e90 - releng/15.0 - nfs_clrpcops.c: Check for too large a write reply

The branch releng/15.0 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=5d37e6975e904e3889ee32a82bb255890aab0d68

commit 5d37e6975e904e3889ee32a82bb255890aab0d68
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:49:32 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-11-03 20:28:53 +0000

    nfs_clrpcops.c: Check for too large a write reply
    
    The "rlen" reply length for a Write operation/RPC
    could cause trouble if a broken server replies with
    too large a value.
    
    Improve the sanity check for "rlen" to avoid this.
    
    Approved by:    re (cperciva)
    
    (cherry picked from commit 2c82cdd2e29f8ba00d4289f36f8baa1598a1ad9b)
    (cherry picked from commit b5b6ddfc9981f9675cd165fc91d00c205282b716)
---
 sys/fs/nfsclient/nfs_clrpcops.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index 06e9d9f87628..ec0d3713dc9f 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -2212,7 +2212,7 @@ nfsrpc_writerpc(vnode_t vp, struct uio *uiop, int *iomode,
 				NFSM_DISSECT(tl, u_int32_t *, 2 * NFSX_UNSIGNED
 					+ NFSX_VERF);
 				rlen = fxdr_unsigned(int, *tl++);
-				if (rlen == 0) {
+				if (rlen <= 0 || rlen > len) {
 					error = NFSERR_IO;
 					goto nfsmout;
 				} else if (rlen < len) {
@@ -7254,7 +7254,7 @@ nfsrpc_writeds(vnode_t vp, struct uio *uiop, int *iomode, int *must_commit,
 		NFSM_DISSECT(tl, uint32_t *, 2 * NFSX_UNSIGNED + NFSX_VERF);
 		rlen = fxdr_unsigned(int, *tl++);
 		NFSCL_DEBUG(4, "nfsrpc_writeds: len=%d rlen=%d\n", len, rlen);
-		if (rlen == 0) {
+		if (rlen <= 0 || rlen > len) {
 			error = NFSERR_IO;
 			goto nfsmout;
 		} else if (rlen < len) {