FreeBSD Bugzilla – Attachment 229822 Details for
Bug 260111
NFS v4 server crash due to ACL handling
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Sanity check the acecnt and who size, plus fix a nfsv4_dissectacl() error case
crash5.patch (text/plain), 1.45 KB, created by
Rick Macklem
on 2021-12-01 00:47:04 UTC
(
hide
)
Description:
Sanity check the acecnt and who size, plus fix a nfsv4_dissectacl() error case
Filename:
MIME Type:
Creator:
Rick Macklem
Created:
2021-12-01 00:47:04 UTC
Size:
1.45 KB
patch
obsolete
>--- sys/fs/nfs/nfs_commonsubs.c.crash5 2021-11-30 15:04:30.022049000 -0800 >+++ sys/fs/nfs/nfs_commonsubs.c 2021-11-30 16:24:39.205303000 -0800 >@@ -1108,6 +1108,14 @@ nfsrv_dissectacl(struct nfsrv_descript *nd, NFSACL_T * > NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED); > aclsize = NFSX_UNSIGNED; > acecnt = fxdr_unsigned(int, *tl); >+ /* >+ * The RFCs do not define a fixed limit to the number of ACEs in >+ * an ACL, but 10240 should be more than sufficient. >+ */ >+ if (acecnt < 0 || acecnt > 10240) { >+ error = NFSERR_BADXDR; >+ goto nfsmout; >+ } > if (acecnt > ACL_MAX_ENTRIES) > aceerr = NFSERR_ATTRNOTSUPP; > if (nfsrv_useacl == 0) >@@ -1493,6 +1501,8 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp, > } else { > error = nfsrv_dissectacl(nd, NULL, &aceerr, > &cnt, p); >+ if (error) >+ goto nfsmout; > *retcmpp = NFSERR_ATTRNOTSUPP; > } > } >--- sys/fs/nfs/nfs_commonacl.c.crash5 2021-11-30 15:48:22.026291000 -0800 >+++ sys/fs/nfs/nfs_commonacl.c 2021-11-30 15:50:12.720713000 -0800 >@@ -58,7 +58,11 @@ nfsrv_dissectace(struct nfsrv_descript *nd, struct acl > flag = fxdr_unsigned(u_int32_t, *tl++); > mask = fxdr_unsigned(u_int32_t, *tl++); > len = fxdr_unsigned(int, *tl); >- if (len < 0) { >+ /* >+ * The RFCs do not specify a limit to the length of the "who", but >+ * NFSV4_OPAQUELIMIT (1024) should be sufficient. >+ */ >+ if (len < 0 || len > NFSV4_OPAQUELIMIT) { > error = NFSERR_BADXDR; > goto nfsmout; > } else if (len == 0) {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 260111
:
229786
| 229822