From nobody Thu Oct 16 18:50:21 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cncTV0rH3z6Cy3p; Thu, 16 Oct 2025 18:50:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cncTT6rRGz3G37; Thu, 16 Oct 2025 18:50:21 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760640622; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=yHwReUBKrOtrQ7EnYzTZuP7TOFWM46tBn8ZGMs+1uAw=; b=lXEP6o8xm/Vyib4dIrL+ZtzgFXBa92SFRfdRR15Sg9g5g0ur1lrQWTzrItrsqAgq0dfEWG hfZBx87f6S3oh+kNVi12JW5SjacdN8gPdgCHrKFy1QFqVC+H2w+PsR14BWqWUeLGwGsBOZ rrDlq3MDZ+pm/GBhtvLMyGW35+mvXGv1VOGvGxXG0kk8GJ93fx2tAAq3ORRHr9JxdIxoMM a8IFb4xtVoQOBhRaByVJ6Tr4Wrmz48ljVzaYgjuTfVOQkJfUBA4dao1UPXVJuUyB3+Yqt0 yx/ghdVrbthIaYCXXzVDNDK67lGPM7E0U/OBLFFQyLu6hTvV9+AZsWPT7ENDiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760640622; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=yHwReUBKrOtrQ7EnYzTZuP7TOFWM46tBn8ZGMs+1uAw=; b=ZtbxyC6U+fbA/LyVW/qtrqOGdVicBziNFXoYDjQucEtjs3SuYzCT89Ke5OgIjaWtIf5pl1 Vt+PZ8Q7l4Yr1ir514/sXhimPGrssFmhaPcaF16AqH45utI8PNPnsKGpeQme9chmL9XBHV v8fvN3WvmbrLZ1sFt6Yj00Ypb1jLnWGOurmoeALbzyYUtPlOXLOhVHxBt2WYn4Kjtonjcp xH48oqzeSOauP8xzAe27MHs2XjcYPpzM1lRb1nnquqnGGwkuzMdUvSrHWAd4l0FOCUC8uw fQBM7mASIRTgvPgxu6G1bBcaw6sRR9TrYpL4BpWPP1Da9g5SOUKCFniuJWVm1A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1760640622; a=rsa-sha256; cv=none; b=pzsaOrCvVkiQLUznohfGKoPtDA/VZuxwFSmGBLPWjTa4ueGG44JTN1TMwuJsYUOUqvkupt FikMLck3FeEpl7sRupe4v5FZ7arDkekFZGYMptJvY0R2iNmvN1QVNrRhyXRgnIJT5pugJB qgtBKaCRGluCWdgCOud5mlKKSD2+a0JbuSydZ6NOZdQtyK66asTt+foMrhwJY2VRN7gr+E 0hxLgKTUdUA2PLCcQbCFNOmzkZ3MDN4VrU/krtenWY9GMM/uZRnbKYV1/5mCeqUCsO/mGk o0pLDmJ/yzV8j/kjll226khtpsaY/Ek6ts+ZxtChr7LBQuKg+0aH/9R4HLqDOg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cncTT6Q13z4nS; Thu, 16 Oct 2025 18:50:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59GIoLHH075164; Thu, 16 Oct 2025 18:50:21 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59GIoLga075161; Thu, 16 Oct 2025 18:50:21 GMT (envelope-from git) Date: Thu, 16 Oct 2025 18:50:21 GMT Message-Id: <202510161850.59GIoLga075161@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Colin Percival Subject: git: fc3b621afdb5 - releng/15.0 - sys/rpc: UNIX auth: Use AUTH_SYS_MAX_{GROUPS,HOSTNAME} as limits (1/2) List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cperciva X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: fc3b621afdb551dc17ebe41134cfdb3799658792 Auto-Submitted: auto-generated The branch releng/15.0 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=fc3b621afdb551dc17ebe41134cfdb3799658792 commit fc3b621afdb551dc17ebe41134cfdb3799658792 Author: Olivier Certner AuthorDate: 2025-10-07 08:46:56 +0000 Commit: Colin Percival CommitDate: 2025-10-16 18:48:07 +0000 sys/rpc: UNIX auth: Use AUTH_SYS_MAX_{GROUPS,HOSTNAME} as limits (1/2) Consistently with the XDR_INLINE() variant of xdr_authunix_parms() (_svcauth_unix() in 'svc_auth_unix.c'), reject messages with credentials having a machine name length in excess of AUTH_SYS_MAX_HOSTNAME or more than AUTH_SYS_MAX_GROUPS supplementary groups, which do not conform to RFC 5531. This is done mainly because we cannot store excess groups anyway, even if at odds with the robustness principle ("be liberal in what you accept"). While here, make sure the current code is immune to AUTH_SYS_MAX_GROUPS changing value (in future RFCs?) even if that seems improbable. Approved by: re (cperciva) Reviewed by: rmacklem Fixes: dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.") MFC after: 2 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D52962 (cherry picked from commit b119ef0f6a81eb32b0e1cd0075cec499543e7ddd) (cherry picked from commit 34fc20503f04e3c035844f4bfa8eb72964ccbf68) --- sys/rpc/authunix_prot.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/sys/rpc/authunix_prot.c b/sys/rpc/authunix_prot.c index 89f0ab3ed44e..c1a9f90bbe28 100644 --- a/sys/rpc/authunix_prot.c +++ b/sys/rpc/authunix_prot.c @@ -50,9 +50,6 @@ #include -/* gids compose part of a credential; there may not be more than 16 of them */ -#define NGRPS 16 - /* * XDR for unix authentication parameters. */ @@ -65,13 +62,10 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) char hostbuf[MAXHOSTNAMELEN]; if (xdrs->x_op == XDR_ENCODE) { - /* - * Restrict name length to 255 according to RFC 1057. - */ getcredhostname(NULL, hostbuf, sizeof(hostbuf)); namelen = strlen(hostbuf); - if (namelen > 255) - namelen = 255; + if (namelen > AUTH_SYS_MAX_HOSTNAME) + namelen = AUTH_SYS_MAX_HOSTNAME; } else { namelen = 0; } @@ -87,6 +81,8 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) if (!xdr_opaque(xdrs, hostbuf, namelen)) return (FALSE); } else { + if (namelen > AUTH_SYS_MAX_HOSTNAME) + return (FALSE); xdr_setpos(xdrs, xdr_getpos(xdrs) + RNDUP(namelen)); } @@ -112,13 +108,30 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) */ MPASS(cred->cr_ngroups <= XU_NGROUPS); supp_ngroups = cred->cr_ngroups - 1; - if (supp_ngroups > NGRPS) - supp_ngroups = NGRPS; + if (supp_ngroups > AUTH_SYS_MAX_GROUPS) + /* With current values, this should never execute. */ + supp_ngroups = AUTH_SYS_MAX_GROUPS; } if (!xdr_uint32_t(xdrs, &supp_ngroups)) return (FALSE); + /* + * Because we cannot store more than XU_NGROUPS in total (16 at time of + * this writing), for now we choose to be strict with respect to RFC + * 5531's maximum number of supplementary groups (AUTH_SYS_MAX_GROUPS). + * That would also be an accidental DoS prevention measure if the + * request handling code didn't try to reassemble it in full without any + * size limits. Although AUTH_SYS_MAX_GROUPS and XU_NGROUPS are equal, + * since the latter includes the "effective" GID, we cannot store the + * last group of a message with exactly AUTH_SYS_MAX_GROUPS + * supplementary groups. We accept such messages so as not to violate + * the protocol, silently dropping the last group on the floor. + */ + + if (xdrs->x_op != XDR_ENCODE && supp_ngroups > AUTH_SYS_MAX_GROUPS) + return (FALSE); + junk = 0; for (i = 0; i < supp_ngroups; ++i) if (!xdr_uint32_t(xdrs, i < XU_NGROUPS - 1 ?