git: b5c577931db1 - stable/12 - nfsd: Sanity check the ACL attribute

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Wed, 15 Dec 2021 01:42:09 UTC
The branch stable/12 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=b5c577931db12c68f5a20fa11c9502049c3cdb40

commit b5c577931db12c68f5a20fa11c9502049c3cdb40
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2021-12-01 21:55:17 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2021-12-15 01:38:56 +0000

    nfsd: Sanity check the ACL attribute
    
    When an ACL is presented to the NFSv4 server in
    Setattr or Verify, parsing of the ACL assumed a
    sane acecnt and sane sizes for the "who" strings.
    This patch adds sanity checks for these.
    
    The patch also fixes handling of an error
    return from nfsrv_dissectacl() for one broken
    case.
    
    PR:     260111
    
    (cherry picked from commit fd020f197d6ac481d36171ea69fe555eb911d673)
---
 sys/fs/nfs/nfs_commonacl.c  |  6 +++++-
 sys/fs/nfs/nfs_commonsubs.c | 10 ++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/sys/fs/nfs/nfs_commonacl.c b/sys/fs/nfs/nfs_commonacl.c
index 7fb744417d6a..6254a6b6568c 100644
--- a/sys/fs/nfs/nfs_commonacl.c
+++ b/sys/fs/nfs/nfs_commonacl.c
@@ -58,7 +58,11 @@ nfsrv_dissectace(struct nfsrv_descript *nd, struct acl_entry *acep,
 	flag = fxdr_unsigned(u_int32_t, *tl++);
 	mask = fxdr_unsigned(u_int32_t, *tl++);
 	len = fxdr_unsigned(int, *tl);
-	if (len < 0) {
+	/*
+	 * The RFCs do not specify a limit to the length of the "who", but
+	 * NFSV4_OPAQUELIMIT (1024) should be sufficient.
+	 */
+	if (len < 0 || len > NFSV4_OPAQUELIMIT) {
 		error = NFSERR_BADXDR;
 		goto nfsmout;
 	} else if (len == 0) {
diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
index e4120d4d9e78..dcdf2e96c7e8 100644
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@@ -1085,6 +1085,14 @@ nfsrv_dissectacl(struct nfsrv_descript *nd, NFSACL_T *aclp, int *aclerrp,
 	NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
 	aclsize = NFSX_UNSIGNED;
 	acecnt = fxdr_unsigned(int, *tl);
+	/*
+	 * The RFCs do not define a fixed limit to the number of ACEs in
+	 * an ACL, but 10240 should be more than sufficient.
+	 */
+	if (acecnt < 0 || acecnt > 10240) {
+		error = NFSERR_BADXDR;
+		goto nfsmout;
+	}
 	if (acecnt > ACL_MAX_ENTRIES)
 		aceerr = NFSERR_ATTRNOTSUPP;
 	if (nfsrv_useacl == 0)
@@ -1468,6 +1476,8 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp,
 			    } else {
 				error = nfsrv_dissectacl(nd, NULL, &aceerr,
 				    &cnt, p);
+				if (error)
+				    goto nfsmout;
 				*retcmpp = NFSERR_ATTRNOTSUPP;
 			    }
 			  }