git: 4f7bd8c77981 - stable/14 - nfs_clrpcops.c: Fix two possible large NFSM_DISSECT()s
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 30 Oct 2025 01:23:28 UTC
The branch stable/14 has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=4f7bd8c77981704759f731b5b84896f90b28fa6a
commit 4f7bd8c77981704759f731b5b84896f90b28fa6a
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:43:02 +0000
Commit: Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-30 01:20:54 +0000
nfs_clrpcops.c: Fix two possible large NFSM_DISSECT()s
There are two cases in nfs_clrpcops.c where it was possible
for the code to attempt to NFSM_DISSECT() a large size,
which is not allowed by nfsm_dissct().
This patch fixes them.
Reducing the maximum stripecnt should be no problem,
since there in no extant NFSv4.n server that does striped
File Layout pNFS and current development is centered
around the Flex File layout.
(cherry picked from commit b9e6206f593385c80436d267ab759319c1e94e43)
---
sys/fs/nfsclient/nfs_clrpcops.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index 527c6b6928ac..bc8611f4c119 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -5678,7 +5678,8 @@ nfsrpc_getdeviceinfo(struct nfsmount *nmp, uint8_t *deviceid, int layouttype,
NFSM_DISSECT(tl, uint32_t *, NFSX_UNSIGNED);
stripecnt = fxdr_unsigned(int, *tl);
NFSCL_DEBUG(4, "stripecnt=%d\n", stripecnt);
- if (stripecnt < 1 || stripecnt > 4096) {
+ if (stripecnt >= MHLEN / NFSX_UNSIGNED ||
+ stripecnt < 1) {
printf("pNFS File layout devinfo stripecnt %d:"
" out of range\n", stripecnt);
error = NFSERR_BADXDR;
@@ -8124,7 +8125,7 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp,
NFSPROC_T *p)
{
uint32_t *tl;
- char *cp, *str, str0[NFSV4_SMALLSTR + 1];
+ char *str, str0[NFSV4_SMALLSTR + 1];
uint32_t len = 0;
int error = 0;
@@ -8147,9 +8148,9 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp,
str = malloc(len + 1, M_TEMP, M_WAITOK);
else
str = str0;
- NFSM_DISSECT(cp, char *, NFSM_RNDUP(len));
- NFSBCOPY(cp, str, len);
- str[len] = '\0';
+ error = nfsrv_mtostr(nd, str, len);
+ if (error != 0)
+ goto nfsmout;
NFSCL_DEBUG(4, "nfsrv_parseug: str=%s\n", str);
if (dogrp != 0)
error = nfsv4_strtogid(nd, str, len, gidp);