From nobody Mon Dec 27 01:04:10 2021 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0B39E19119E2; Mon, 27 Dec 2021 01:04:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JMfZL5YKmz56lw; Mon, 27 Dec 2021 01:04:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9EB6114EA6; Mon, 27 Dec 2021 01:04:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BR14AuA083617; Mon, 27 Dec 2021 01:04:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BR14A8P083616; Mon, 27 Dec 2021 01:04:10 GMT (envelope-from git) Date: Mon, 27 Dec 2021 01:04:10 GMT Message-Id: <202112270104.1BR14A8P083616@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Rick Macklem Subject: git: e4a65cff230d - stable/12 - nfsd: Limit parsing of layout errors to maxcnt bytes List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: e4a65cff230dd1e055ad1651f285e5e11b160cb8 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1640567050; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cDCzD/jcVV004VRFW9W3kMZtAOtLM6ImGm7gmU5viHs=; b=u4f42GMMntxAKDzfixUDDTfnA5u/u0mqnROK5byKc9+VL7PtRW3/243WbAzmKTOwWL+BWe ySg+vAekfJf9YmDjJe/sOvYL/YvTiCKtbSEEbi0sksEzVT4YqhF8bIdurXkLCqX+QQmVK/ t9oq6oFcHpYWN89GdRbvmwlnlzVw6pep5BQjuQfUoDIwCNPp15aSkKW8k4kJAQxKpyLSJV rgz2pP4xfBruNCPwriglKBqsLtfEjYdczYZrAK0C47EdhYGZG5BDx4PvWxFoIgF7bUtfmk gLPGaNINpK1QnaWPXCH0og0FQIsKSxq/I6zLbNOQWZOU5ELj/hboKPXKV3obpA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640567050; a=rsa-sha256; cv=none; b=ug51s4XR+Rhw6nXiAhy4H5ApbECBHhqnRBk1TeXfbKW9xD+ItWyEAcsnBys/Ic1vhDEk65 adW+vGSmcVJdyf1M8pMsIO2vQhnizyXCuuQk+VP02hdagK7mb24ZXvyCdU71q9Lv/ygMEN nXdqhBCjM+HYO+9hlKwRjSn/w3u5G2u839gUfuqVnuVxbUrUXqUiS5GCAA1CB6fTLfv0sR 0ldBXvr3qWCTH29EFBvosKCVO9Not2zv2IS5YyMAjxmlaIlbA4xiUpj+k0kobO7YkkBkxt hvdHGWT8AprP1GKKaMw+YZAiHWPpemhpr5Ksdgk9eDlgMEALzbpWi67aYDRzoA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/12 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=e4a65cff230dd1e055ad1651f285e5e11b160cb8 commit e4a65cff230dd1e055ad1651f285e5e11b160cb8 Author: Rick Macklem AuthorDate: 2021-12-13 23:21:31 +0000 Commit: Rick Macklem CommitDate: 2021-12-27 01:00:57 +0000 nfsd: Limit parsing of layout errors to maxcnt bytes This patch decrements maxcnt by the appropriate number of bytes during parsing and checks to see if there is data remaining. If not, it just returns from nfsrv_flexlayouterr() without further processing. This prevents the tl pointer from running off the end of the error data pointed at by layp, if there are flaws in the data. PR: 260293 (cherry picked from commit c302f889e21f73746a3b0917df5246e639df1481) --- sys/fs/nfsserver/nfs_nfsdstate.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/sys/fs/nfsserver/nfs_nfsdstate.c b/sys/fs/nfsserver/nfs_nfsdstate.c index d9235ab783c6..882ff97e62fb 100644 --- a/sys/fs/nfsserver/nfs_nfsdstate.c +++ b/sys/fs/nfsserver/nfs_nfsdstate.c @@ -6969,14 +6969,25 @@ nfsrv_flexlayouterr(struct nfsrv_descript *nd, uint32_t *layp, int maxcnt, char devid[NFSX_V4DEVICEID]; tl = layp; - cnt = fxdr_unsigned(int, *tl++); + maxcnt -= NFSX_UNSIGNED; + if (maxcnt > 0) + cnt = fxdr_unsigned(int, *tl++); + else + cnt = 0; NFSD_DEBUG(4, "flexlayouterr cnt=%d\n", cnt); for (i = 0; i < cnt; i++) { + maxcnt -= NFSX_STATEID + 2 * NFSX_HYPER + + NFSX_UNSIGNED; + if (maxcnt <= 0) + break; /* Skip offset, length and stateid for now. */ tl += (4 + NFSX_STATEID / NFSX_UNSIGNED); errcnt = fxdr_unsigned(int, *tl++); NFSD_DEBUG(4, "flexlayouterr errcnt=%d\n", errcnt); for (j = 0; j < errcnt; j++) { + maxcnt -= NFSX_V4DEVICEID + 2 * NFSX_UNSIGNED; + if (maxcnt < 0) + break; NFSBCOPY(tl, devid, NFSX_V4DEVICEID); tl += (NFSX_V4DEVICEID / NFSX_UNSIGNED); stat = fxdr_unsigned(int, *tl++);