Attachment 229822 Details for Bug 260111 – Sanity check the acecnt and who size, plus fix a nfsv4_dissectacl() error case

[patch] Sanity check the acecnt and who size, plus fix a nfsv4_dissectacl() error case

crash5.patch (text/plain), 1.45 KB, created by Rick Macklem on 2021-12-01 00:47:04 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Rick Macklem

Created: 2021-12-01 00:47:04 UTC

Size: 1.45 KB

patch

obsolete

>--- sys/fs/nfs/nfs_commonsubs.c.crash5	2021-11-30 15:04:30.022049000 -0800
>+++ sys/fs/nfs/nfs_commonsubs.c	2021-11-30 16:24:39.205303000 -0800
>@@ -1108,6 +1108,14 @@ nfsrv_dissectacl(struct nfsrv_descript *nd, NFSACL_T *
> 	NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
> 	aclsize = NFSX_UNSIGNED;
> 	acecnt = fxdr_unsigned(int, *tl);
>+	/*
>+	 * The RFCs do not define a fixed limit to the number of ACEs in
>+	 * an ACL, but 10240 should be more than sufficient.
>+	 */
>+	if (acecnt < 0 || acecnt > 10240) {
>+		error = NFSERR_BADXDR;
>+		goto nfsmout;
>+	}
> 	if (acecnt > ACL_MAX_ENTRIES)
> 		aceerr = NFSERR_ATTRNOTSUPP;
> 	if (nfsrv_useacl == 0)
>@@ -1493,6 +1501,8 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp,
> 			    } else {
> 				error = nfsrv_dissectacl(nd, NULL, &aceerr,
> 				    &cnt, p);
>+				if (error)
>+				    goto nfsmout;
> 				*retcmpp = NFSERR_ATTRNOTSUPP;
> 			    }
> 			  }
>--- sys/fs/nfs/nfs_commonacl.c.crash5	2021-11-30 15:48:22.026291000 -0800
>+++ sys/fs/nfs/nfs_commonacl.c	2021-11-30 15:50:12.720713000 -0800
>@@ -58,7 +58,11 @@ nfsrv_dissectace(struct nfsrv_descript *nd, struct acl
> 	flag = fxdr_unsigned(u_int32_t, *tl++);
> 	mask = fxdr_unsigned(u_int32_t, *tl++);
> 	len = fxdr_unsigned(int, *tl);
>-	if (len < 0) {
>+	/*
>+	 * The RFCs do not specify a limit to the length of the "who", but
>+	 * NFSV4_OPAQUELIMIT (1024) should be sufficient.
>+	 */
>+	if (len < 0 || len > NFSV4_OPAQUELIMIT) {
> 		error = NFSERR_BADXDR;
> 		goto nfsmout;
> 	} else if (len == 0) {

Actions: View | Diff

Attachments on bug 260111: 229786 | 229822