[Bug 260546] nfsv4_loadattr() can pass huge sizes to malloc()

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 13 Apr 2022 00:57:38 UTC

Rick Macklem <rmacklem@FreeBSD.org> changed:

           What    |Removed                     |Added
           Assignee|bugs@FreeBSD.org            |rmacklem@FreeBSD.org

--- Comment #1 from Rick Macklem <rmacklem@FreeBSD.org> ---
Created attachment 233181
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=233181&action=edit
add a sanity check for a large owner/Owner_group string

There is no upper limit for the length of an
Owner/Owner_group string specified in the RFCs.

As such, this patch uses a large (10K) sanity
limit.  I will post on a FreeBSD mailing list
to try and get a better upper bound for a
user/group name.

However, any reasonable sanity limit should
fix this problem.  I did Owner as well as
Owner_group, since they were both affected the
same way.

If the reporter has a way to test this, maybe
they can report back if the patch fixes the
problem for them?

You are receiving this mail because:
You are the assignee for the bug.