From nobody Mon Oct 27 14:45:58 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cwGXR1jm6z6DmsR;
	Mon, 27 Oct 2025 14:45:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cwGXR0g1Rz3p5Z;
	Mon, 27 Oct 2025 14:45:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1761576359;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=j+MZjn5XrCCrOg486oux2BuyatXgTJaAiIepqImeyCE=;
	b=QPn6MemLsCxuf4LYwfuhH//I6fWt8IhABbVrmsV7JX3Hq2pkQmEiRATZyuqiopQVi2aryh
	cmYAcDuoVkPXHGRanGUd6J4CyLlBD+z1Hh1blvqTNKzJkIPYKpymL0rA80MYWaNQUYw3st
	PJtSwbtnNevTTkkMfF/HW4rGd6qveeu63aFzGjdvtCZFBakIh+boJGoKGDeq6FA7WfPhlI
	3stbn0pPipbVqZgfGLKrwDDnS1kstAUO63COKsZKVrgxOFyZYkU8Z3fzp8Fh/ItphEor46
	JDDU9TmnfH4XEIV6Ra6pa+EEGxdR7eHh98EWwZa3Ton4/agThXxE4SocOXC1zA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1761576359;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=j+MZjn5XrCCrOg486oux2BuyatXgTJaAiIepqImeyCE=;
	b=eoM8P8K56IDFuu/qtApGjVvCWa+26GDkyVfeOt16iUogROROo5WDrLJ2hmoYpUeFFaBmCH
	00qFRwJVoNlv/P4Q/qt/l7IQEzr0lBMoYnyIWciBic+rXe/Wfv0yWw4eywgXTfFBiwvDAN
	esPKHEj4VIf+ucrrSsa2rybQQwTJonjeAEoe6ORyNFGlJBx7trJowO1nA1b69DMUhXuBB8
	BrLCV6G9RBedYtmUvpYceVtk85HiVD91v5iHyqkGJjA37mYkP3QywdKZg3GzqUU0B+gw2t
	Cha2kk6wHiBiwrw7NV4mDcP34Tz1tGuFKA603XcqAboGg+m10KRVObbCbr+m6w==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761576359; a=rsa-sha256; cv=none;
	b=b3DeVpxx4+hzB8YGRIF8pnGl81EGIJ89egKOf9q5BHWSS4ITk61qWIS/LKCentROUIpXpL
	GxmMOkCwQtW2tkF1rkiKJvH9yIa9CGgP9AOrQ8TsKF5gtb33frg0Ns0hw4RvI0yQ7CcK1r
	U8POyEfNGDRioXLBio6R/NdnoBwoGP1oMv0U88/6qM3QWRk9XQV4C750cCzQ3rhF9Nq+ss
	bq+riP+leKs4/9V7zSI7Pct/WJR0Gm6JIzLaSym44mBpCiJCJewo/n0M74Mp1KyTzp8NTa
	s2ZcBB06fhfWD454syrj8HK2a/Un4S1ZA0ubwOXo/HhDrJjmU9bUV0NNldZqYQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cwGXQ73qzz1MT1;
	Mon, 27 Oct 2025 14:45:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59REjwpQ083982;
	Mon, 27 Oct 2025 14:45:58 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59REjwDM083979;
	Mon, 27 Oct 2025 14:45:58 GMT
	(envelope-from git)
Date: Mon, 27 Oct 2025 14:45:58 GMT
Message-Id: <202510271445.59REjwDM083979@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Rick Macklem <rmacklem@FreeBSD.org>
Subject: git: b9e6206f5933 - main - nfs_clrpcops.c: Fix two possible
  large NFSM_DISSECT()s
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rmacklem
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: b9e6206f593385c80436d267ab759319c1e94e43
Auto-Submitted: auto-generated

The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=b9e6206f593385c80436d267ab759319c1e94e43

commit b9e6206f593385c80436d267ab759319c1e94e43
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-10-27 14:43:02 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-10-27 14:43:02 +0000

    nfs_clrpcops.c: Fix two possible large NFSM_DISSECT()s
    
    There are two cases in nfs_clrpcops.c where it was possible
    for the code to attempt to NFSM_DISSECT() a large size,
    which is not allowed by nfsm_dissct().
    
    This patch fixes them.
    
    Reducing the maximum stripecnt should be no problem,
    since there in no extant NFSv4.n server that does striped
    File Layout pNFS and current development is centered
    around the Flex File layout.
    
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:    markj
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D53367
---
 sys/fs/nfsclient/nfs_clrpcops.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index d9f27c3f31a2..c8a130c34412 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -5807,7 +5807,8 @@ nfsrpc_getdeviceinfo(struct nfsmount *nmp, uint8_t *deviceid, int layouttype,
 			NFSM_DISSECT(tl, uint32_t *, NFSX_UNSIGNED);
 			stripecnt = fxdr_unsigned(int, *tl);
 			NFSCL_DEBUG(4, "stripecnt=%d\n", stripecnt);
-			if (stripecnt < 1 || stripecnt > 4096) {
+			if (stripecnt >= MHLEN / NFSX_UNSIGNED ||
+			    stripecnt < 1) {
 				printf("pNFS File layout devinfo stripecnt %d:"
 				    " out of range\n", stripecnt);
 				error = NFSERR_BADXDR;
@@ -8253,7 +8254,7 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp,
     NFSPROC_T *p)
 {
 	uint32_t *tl;
-	char *cp, *str, str0[NFSV4_SMALLSTR + 1];
+	char *str, str0[NFSV4_SMALLSTR + 1];
 	uint32_t len = 0;
 	int error = 0;
 
@@ -8276,9 +8277,9 @@ nfsrv_parseug(struct nfsrv_descript *nd, int dogrp, uid_t *uidp, gid_t *gidp,
 		str = malloc(len + 1, M_TEMP, M_WAITOK);
 	else
 		str = str0;
-	NFSM_DISSECT(cp, char *, NFSM_RNDUP(len));
-	NFSBCOPY(cp, str, len);
-	str[len] = '\0';
+	error = nfsrv_mtostr(nd, str, len);
+	if (error != 0)
+		goto nfsmout;
 	NFSCL_DEBUG(4, "nfsrv_parseug: str=%s\n", str);
 	if (dogrp != 0)
 		error = nfsv4_strtogid(nd, str, len, gidp);