git: d9931c25617d - main - nfscl: Sanity check the callback tag length
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 09 Dec 2021 22:19:11 UTC
The branch main has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=d9931c25617d6625e280fda19bd9c2878e49c091
commit d9931c25617d6625e280fda19bd9c2878e49c091
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2021-12-09 22:15:48 +0000
Commit: Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2021-12-09 22:15:48 +0000
nfscl: Sanity check the callback tag length
The sanity check for tag length in a callback request
was broken in two ways:
It checked for a negative value, but not a large positive
value.
It did not set taglen to -1, to indicate to the code that
it should not be used.
This patch fixes both of these issues.
Reported by: rtm@lcs.mit.edu
Tested by: rtm@lcs.mit.edu
PR: 260266
MFC after: 2 weeks
---
sys/fs/nfsclient/nfs_clstate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys/fs/nfsclient/nfs_clstate.c b/sys/fs/nfsclient/nfs_clstate.c
index 082469aef1bc..ead90fd49c14 100644
--- a/sys/fs/nfsclient/nfs_clstate.c
+++ b/sys/fs/nfsclient/nfs_clstate.c
@@ -3531,8 +3531,9 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p)
nfsrvd_rephead(nd);
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
taglen = fxdr_unsigned(int, *tl);
- if (taglen < 0) {
+ if (taglen < 0 || taglen > NFSV4_OPAQUELIMIT) {
error = EBADRPC;
+ taglen = -1;
goto nfsmout;
}
if (taglen <= NFSV4_SMALLSTR)