From nobody Thu Oct 30 01:02:16 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cxm6d0nCYz6DP3r;
	Thu, 30 Oct 2025 01:02:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cxm6c70JVz3bt0;
	Thu, 30 Oct 2025 01:02:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1761786137;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/sDXpZzLFIkV52xR+pZ8j5xDdI3AlRjiE86uA7bMgYM=;
	b=j5q++DRoM3Ivm1WbVRFwMBF478frB+eiLSpBMiTDgceC3Y8RXwpNwP4LYoeM7mYmd4SNgo
	cg/xI3I/RGfdsUtjS8ctpGvsSRWbgklJe6KEMlrJqkMHcJDP2VKNL4uAiYMawQExXJibUT
	WoUnH2xppAwUScIpfHdBKLp76EB1L4C2w99a5FqQwm3GB8KkzcsY0eNKIN6yqHwEAxSRpo
	kjufeEP1C8w6pKg7TKpbue9a2xKbNrD6FdU3sTBX+Z7oIV9zjjd+aWpq0VxYjHv6vv19HB
	+I5LmzHTPxG9P1MvybWKx4RX1etu5sAUCrWesXDLU5DaXoAfDpHXdXQLIg1UvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1761786137;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/sDXpZzLFIkV52xR+pZ8j5xDdI3AlRjiE86uA7bMgYM=;
	b=YaqVVAf/LfgccmcsnM3rLiDNinZoJwcIgOclT1M/yqCh/hRiozmwlFl3dKn7gfjqwU0Dng
	ZHn040XjgmQz2Bhek6Utp050mpWTkTyb4J6DBqIi7fhv2elGQIfYZjEUHpDJ7QxyJ7+ywC
	d/3wrpHneKhfC1ZoETed/3hLyE/f5OP6LyqlKV6vT4ukqvW7hrYaF6wQ0si5x3DckA/sM+
	kphpzZZZQJ3K9rZg0Nr4oWUsUeIsS8X1oh2lA/SWYZKol3W0KI4wxRjk5dZb9pWQnxoNCt
	6o+o1ArPkXPL6AY7A5STAl62gl2Y3WGVy1s0GCUQdX4nwylt9sBTWjnri4AjFA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761786137; a=rsa-sha256; cv=none;
	b=uRTCfffUbQtORy7ak/bP2xe/cEuBBE1tM23ZYE8mJ11Tbg//UM2u0xOdstP1tCJNcOkco5
	P5TTeSBjY75C7IMjOGi3jGjn0PV9pm4OoFhW+uvgffviko6VJKYlTnFehLNUge+CAfH5xQ
	bDXedhhS84cIPC60W/q8FP5CqwViNHKwyBVvtcxHVwnonXFu3zIOXy01XUWyx+BcpIVua3
	akzvLjvJYgUZ6p5f9S41RsDnsyUGr/FdRMLTGAlUjcprZanFmbS13krF5oUJaoPJQI85EZ
	twb49KyfOu8+LBbAc0j3uEvFVwoTh5D4nSevaYrNB3ScHuWMGu83lZG3kxq8KQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cxm6c6bn1z10hJ;
	Thu, 30 Oct 2025 01:02:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59U12Gsd005355;
	Thu, 30 Oct 2025 01:02:16 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59U12Gp1005352;
	Thu, 30 Oct 2025 01:02:16 GMT
	(envelope-from git)
Date: Thu, 30 Oct 2025 01:02:16 GMT
Message-Id: <202510300102.59U12Gp1005352@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Rick Macklem <rmacklem@FreeBSD.org>
Subject: git: 14148591b951 - stable/15 - nfs_clrpcops.c: Add sanity
  checks for the slot cnts
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rmacklem
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 14148591b951e60093afca50fe2497f21ee91950
Auto-Submitted: auto-generated

The branch stable/15 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=14148591b951e60093afca50fe2497f21ee91950

commit 14148591b951e60093afca50fe2497f21ee91950
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:35:27 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-30 00:59:27 +0000

    nfs_clrpcops.c: Add sanity checks for the slot cnts
    
    The reply to CreateSession includes the slot cnt for
    both fore and back slots. It should never be larger
    than the argument specified and the fore slot cnt
    should always be at least 1.
    
    Without this patch, the replied slot cnts were not
    being sanity checked.
    
    While here, replace 64 with NFSV4_SLOTS (which is 64).
    
    (cherry picked from commit 3053b2a3dcab6e05311c3b696bee4c9e5698d93a)
---
 sys/fs/nfsclient/nfs_clrpcops.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index 4ec621de2eff..efc0c31fc589 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -5596,7 +5596,7 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep,
 	}
 	*tl++ = txdr_unsigned(4096);		/* Max response size cached */
 	*tl++ = txdr_unsigned(20);		/* Max operations */
-	*tl++ = txdr_unsigned(64);		/* Max slots */
+	*tl++ = txdr_unsigned(NFSV4_SLOTS);	/* Max slots */
 	*tl = 0;				/* No rdma ird */
 
 	/* Fill in back channel attributes. */
@@ -5665,6 +5665,11 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep,
 		sep->nfsess_maxcache = fxdr_unsigned(int, *tl++);
 		tl++;
 		sep->nfsess_foreslots = fxdr_unsigned(uint16_t, *tl++);
+		if (sep->nfsess_foreslots == 0) {
+			error = NFSERR_BADXDR;
+			goto nfsmout;
+		} else if (sep->nfsess_foreslots > NFSV4_SLOTS)
+			sep->nfsess_foreslots = NFSV4_SLOTS;
 		NFSCL_DEBUG(4, "fore slots=%d\n", (int)sep->nfsess_foreslots);
 		irdcnt = fxdr_unsigned(int, *tl);
 		if (irdcnt < 0 || irdcnt > 1) {
@@ -5678,6 +5683,8 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep,
 		NFSM_DISSECT(tl, uint32_t *, 7 * NFSX_UNSIGNED);
 		tl += 5;
 		sep->nfsess_backslots = fxdr_unsigned(uint16_t, *tl);
+		if (sep->nfsess_backslots > NFSV4_CBSLOTS)
+			sep->nfsess_backslots = NFSV4_CBSLOTS;
 		NFSCL_DEBUG(4, "back slots=%d\n", (int)sep->nfsess_backslots);
 	}
 	error = nd->nd_repstat;