svn commit: r299199 - head/sys/fs/nfs
Ed Maste
emaste at FreeBSD.org
Fri May 6 21:19:29 UTC 2016
Author: emaste
Date: Fri May 6 21:19:28 2016
New Revision: 299199
URL: https://svnweb.freebsd.org/changeset/base/299199
Log:
Add nid_namelen bounds check to nfssvc system call
This is only allowed by root and only used by the nfs daemon, which
should not provide an incorrect value. However, it's still good
practice to validate data provided by userland.
PR: 206626
Reported by: CTurt <cturt at hardenedbsd.org>
Reviewed by: rmacklem
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D6201
Modified:
head/sys/fs/nfs/nfs_commonsubs.c
Modified: head/sys/fs/nfs/nfs_commonsubs.c
==============================================================================
--- head/sys/fs/nfs/nfs_commonsubs.c Fri May 6 20:57:41 2016 (r299198)
+++ head/sys/fs/nfs/nfs_commonsubs.c Fri May 6 21:19:28 2016 (r299199)
@@ -3174,6 +3174,10 @@ nfssvc_idname(struct nfsd_idargs *nidp)
static int onethread = 0;
static time_t lasttime = 0;
+ if (nidp->nid_namelen <= 0 || nidp->nid_namelen > MAXHOSTNAMELEN) {
+ error = EINVAL;
+ goto out;
+ }
if (nidp->nid_flag & NFSID_INITIALIZE) {
cp = malloc(nidp->nid_namelen + 1, M_NFSSTRING, M_WAITOK);
error = copyin(CAST_USER_ADDR_T(nidp->nid_name), cp,
More information about the svn-src-all
mailing list