From nobody Tue Oct 14 12:22:50 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cmCzG5Br8z6CLWw; Tue, 14 Oct 2025 12:22:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cmCzG2HcKz3DXQ; Tue, 14 Oct 2025 12:22:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760444570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+7H3TR+J/q1hUbrHtgBzRSPKUodFmw5+D6ygj4Y256U=; b=L0IxcWXxeIey2cLd+G4U0jBhpI7Q5B8eIvauEEEf9wViw1vVf0DY9rTLs4rf86FIvocJM5 6K8FesYjq8D9kX/YSjDk5WlWbzcMu6j4LEbuUgx5TVw2cxb37ILpsxK2t5L1ZHnn2wofy3 5ryDIKiB1NblWkp0Ix2OwJ2j3B2TSjjRyEFHP2KtGND9yfyizzLPxOZapLBpfQOn10Ysex cxhmdWsVGIZToQMfNiAC6b58rbHV71s6spyhuuxIs0XvEhr+y8iFvRd22WZv3r7JIdjV+b /F/4e+L0BDdmVKNVoywTRK3edw+KKt4K8j97bpv7PoAYmbfiYQJS/YH+6lj5mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760444570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+7H3TR+J/q1hUbrHtgBzRSPKUodFmw5+D6ygj4Y256U=; b=qjAVS4lUaN6gGZQtpTBYMyJxGpLxV9gFLx3BDsVJoRxoyItiX6fOSJU2gs1gtTTlgs1geI c9DroqM3vR0HNQJfNICPC5MihKsB7XlppnDbZYls7mmp9hOmHeaiJ5IDhyt73ZGJvF79jm dUZGvoS93bFHtbK7fXiipFfVfej5vmeX3hdGo9Y6IPcM4GrNSqwoJYeH3viAZpT0qZrr4K 7UwcZ0Ryl6XAn0WSTqO3dTP924fs/2bZ4zT/nm9i7kw+o5UmRNdboHZIGTFtyCGGDLtzNA HLZNhhg5Wf4DQZr6943zsk8nsg6YLMjZFblxq4su10xDXj1Krp+JjxK2SnepMQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1760444570; a=rsa-sha256; cv=none; b=S7RZxU34UiMy50qi3PvsUBL57AlvTZ7ndteFr1IE/XMSBKOV4izPbjEgpiPg+6UfpGwAHu yZ5ex+ZDEGIwFyod4fDKskNYMuNdUpngmddRPvJcoVdD5p9b0dl8mgSFuxzo+DKLgXvz8d Zhy1r8HzVwdXGxp2WilUBgcZ3mgprqO9zWmXicpHWC4jiHvnpdFHREe0n6jRaCmMSS7bbs QHq2AbzUF6XaQeZbmNW58oGSvCSsgWZvBG9VSp8YZ4wvtHk6+x6fSydTyU5OnO9cBi6mx7 dl/glcgMFguOTifHqbRwiA8MVxoSjKHhjG6wlkFjvtzU8H8JZI5sHAT3eWOJCQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cmCzG1lLmzsLm; Tue, 14 Oct 2025 12:22:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59ECMojm019610; Tue, 14 Oct 2025 12:22:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59ECMoBK019607; Tue, 14 Oct 2025 12:22:50 GMT (envelope-from git) Date: Tue, 14 Oct 2025 12:22:50 GMT Message-Id: <202510141222.59ECMoBK019607@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Olivier Certner Subject: git: b119ef0f6a81 - main - sys/rpc: UNIX auth: Use AUTH_SYS_MAX_{GROUPS,HOSTNAME} as limits (1/2) List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b119ef0f6a81eb32b0e1cd0075cec499543e7ddd Auto-Submitted: auto-generated The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=b119ef0f6a81eb32b0e1cd0075cec499543e7ddd commit b119ef0f6a81eb32b0e1cd0075cec499543e7ddd Author: Olivier Certner AuthorDate: 2025-10-07 08:46:56 +0000 Commit: Olivier Certner CommitDate: 2025-10-14 12:21:48 +0000 sys/rpc: UNIX auth: Use AUTH_SYS_MAX_{GROUPS,HOSTNAME} as limits (1/2) Consistently with the XDR_INLINE() variant of xdr_authunix_parms() (_svcauth_unix() in 'svc_auth_unix.c'), reject messages with credentials having a machine name length in excess of AUTH_SYS_MAX_HOSTNAME or more than AUTH_SYS_MAX_GROUPS supplementary groups, which do not conform to RFC 5531. This is done mainly because we cannot store excess groups anyway, even if at odds with the robustness principle ("be liberal in what you accept"). While here, make sure the current code is immune to AUTH_SYS_MAX_GROUPS changing value (in future RFCs?) even if that seems improbable. Reviewed by: rmacklem Fixes: dfdcada31e79 ("Add the new kernel-mode NFS Lock Manager.") MFC after: 2 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D52962 --- sys/rpc/authunix_prot.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/sys/rpc/authunix_prot.c b/sys/rpc/authunix_prot.c index 89f0ab3ed44e..c1a9f90bbe28 100644 --- a/sys/rpc/authunix_prot.c +++ b/sys/rpc/authunix_prot.c @@ -50,9 +50,6 @@ #include -/* gids compose part of a credential; there may not be more than 16 of them */ -#define NGRPS 16 - /* * XDR for unix authentication parameters. */ @@ -65,13 +62,10 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) char hostbuf[MAXHOSTNAMELEN]; if (xdrs->x_op == XDR_ENCODE) { - /* - * Restrict name length to 255 according to RFC 1057. - */ getcredhostname(NULL, hostbuf, sizeof(hostbuf)); namelen = strlen(hostbuf); - if (namelen > 255) - namelen = 255; + if (namelen > AUTH_SYS_MAX_HOSTNAME) + namelen = AUTH_SYS_MAX_HOSTNAME; } else { namelen = 0; } @@ -87,6 +81,8 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) if (!xdr_opaque(xdrs, hostbuf, namelen)) return (FALSE); } else { + if (namelen > AUTH_SYS_MAX_HOSTNAME) + return (FALSE); xdr_setpos(xdrs, xdr_getpos(xdrs) + RNDUP(namelen)); } @@ -112,13 +108,30 @@ xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred) */ MPASS(cred->cr_ngroups <= XU_NGROUPS); supp_ngroups = cred->cr_ngroups - 1; - if (supp_ngroups > NGRPS) - supp_ngroups = NGRPS; + if (supp_ngroups > AUTH_SYS_MAX_GROUPS) + /* With current values, this should never execute. */ + supp_ngroups = AUTH_SYS_MAX_GROUPS; } if (!xdr_uint32_t(xdrs, &supp_ngroups)) return (FALSE); + /* + * Because we cannot store more than XU_NGROUPS in total (16 at time of + * this writing), for now we choose to be strict with respect to RFC + * 5531's maximum number of supplementary groups (AUTH_SYS_MAX_GROUPS). + * That would also be an accidental DoS prevention measure if the + * request handling code didn't try to reassemble it in full without any + * size limits. Although AUTH_SYS_MAX_GROUPS and XU_NGROUPS are equal, + * since the latter includes the "effective" GID, we cannot store the + * last group of a message with exactly AUTH_SYS_MAX_GROUPS + * supplementary groups. We accept such messages so as not to violate + * the protocol, silently dropping the last group on the floor. + */ + + if (xdrs->x_op != XDR_ENCODE && supp_ngroups > AUTH_SYS_MAX_GROUPS) + return (FALSE); + junk = 0; for (i = 0; i < supp_ngroups; ++i) if (!xdr_uint32_t(xdrs, i < XU_NGROUPS - 1 ?