git: 83a0732a4cfe - stable/15 - nfs_commonsubs.c: Add a sanity check for nid_ngroup
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 30 Oct 2025 14:05:46 UTC
The branch stable/15 has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=83a0732a4cfe9f2846e144b39ebe517cbe395fac
commit 83a0732a4cfe9f2846e144b39ebe517cbe395fac
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-28 14:44:14 +0000
Commit: Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-30 14:02:49 +0000
nfs_commonsubs.c: Add a sanity check for nid_ngroup
The nfsuserd(8) daemon passes user credentials
(uid + gids) into the kernel for users and groups
identified by name (received from a NFSv4 server).
This patch add a sanity check for the number of
groups (nid_ngroup) passed in.
It's only purpose is to protect against a bogus
nfsuserd(8) running in a jail.
(cherry picked from commit 4672adcea4cf3c0c626d186f1f41c69552d915f1)
---
sys/fs/nfs/nfs_commonsubs.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
index 7f5b29ca2085..dd3b8b4f1708 100644
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@@ -4165,10 +4165,15 @@ nfssvc_idname(struct nfsd_idargs *nidp)
nidp->nid_namelen);
if (error == 0 && nidp->nid_ngroup > 0 &&
(nidp->nid_flag & NFSID_ADDUID) != 0) {
- grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
- M_WAITOK);
- error = copyin(nidp->nid_grps, grps,
- sizeof(gid_t) * nidp->nid_ngroup);
+ grps = NULL;
+ if (nidp->nid_ngroup > NGROUPS_MAX)
+ error = EINVAL;
+ if (error == 0) {
+ grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
+ M_WAITOK);
+ error = copyin(nidp->nid_grps, grps,
+ sizeof(gid_t) * nidp->nid_ngroup);
+ }
if (error == 0) {
/*
* Create a credential just like svc_getcred(),