From nobody Mon Dec 27 00:57:08 2021 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C13FA19105C8; Mon, 27 Dec 2021 00:57:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JMfQD3jfyz55mZ; Mon, 27 Dec 2021 00:57:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6165814BD2; Mon, 27 Dec 2021 00:57:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BR0v8gW069805; Mon, 27 Dec 2021 00:57:08 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BR0v8dP069804; Mon, 27 Dec 2021 00:57:08 GMT (envelope-from git) Date: Mon, 27 Dec 2021 00:57:08 GMT Message-Id: <202112270057.1BR0v8dP069804@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Rick Macklem Subject: git: 030acb63d9a8 - stable/13 - nfsd: Limit parsing of layout errors to maxcnt bytes List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 030acb63d9a86b9a7bd15b06e60699abfa8a0a2b Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1640566628; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0fzj92FNVeRQclF9/6jq6D0DGwBiuOE0rt2PNRctIdA=; b=N5TuEPyulwTMA658KdTCp5tg9pSsjI97ws4TEe95NXROQTctOb5cU4DWZ3R9Ygg28yj8Bl d5RGlPxCzXG9Q9Yl3ZNPUctJtiRGaa2/iLKtWJybwepiPxcqLgLxpORZ96ElWTniJZS4IF nl/UdtoNooWNnse2gr8Ro91urP8FSRgM6wCpT3PAzXBx7bBXjCUCe37y59pfF1F71oKAUi LrL9GTUPawTIjFJ+l6wmd6RfAN2nYQPq+CE57j2HQHFaJO9f+VsFOSID4o2w2w/HXrFfZn dZRLBSdpJFmigWwcvVtMP5upX2mZ33EpTYq5/AobK6y61a8dTkmNspK2+zH+SQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640566628; a=rsa-sha256; cv=none; b=BcV/F3Wq02K1ZTtDp23YivmVkTouA+PzO2w/mhbMsXAZpDmru7NYYoHXroqIGzJGBT4zIZ ncvztyUUl9zXrD9yWQtJ5+Ge6hLV+Zdcbg5K1zdqF1nRoRrX7uN6LsuQcr5qyZ5hmAA7EJ PONtOwLoh9vu+WESxqxVJGc/3hdPqnW6PdGt1sHazatYtQ93G/xELWcAGOLXRl3NNeSsWi t3eTgVnfN2VPpwmg/dtbAnPFi7Z2HuxVfbLFx7rE6QFUs/fm3Qjvp/9TV7rBtjQIZ9wAQf lASEQldIpO+5Qj0qBn7LM7vTQItShkYZa3s2HzddVDzjYuPxBfQeS4m8MvQH+Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=030acb63d9a86b9a7bd15b06e60699abfa8a0a2b commit 030acb63d9a86b9a7bd15b06e60699abfa8a0a2b Author: Rick Macklem AuthorDate: 2021-12-13 23:21:31 +0000 Commit: Rick Macklem CommitDate: 2021-12-27 00:53:50 +0000 nfsd: Limit parsing of layout errors to maxcnt bytes This patch decrements maxcnt by the appropriate number of bytes during parsing and checks to see if there is data remaining. If not, it just returns from nfsrv_flexlayouterr() without further processing. This prevents the tl pointer from running off the end of the error data pointed at by layp, if there are flaws in the data. PR: 260293 (cherry picked from commit c302f889e21f73746a3b0917df5246e639df1481) --- sys/fs/nfsserver/nfs_nfsdstate.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/sys/fs/nfsserver/nfs_nfsdstate.c b/sys/fs/nfsserver/nfs_nfsdstate.c index 67f615ecea7c..1d0884683904 100644 --- a/sys/fs/nfsserver/nfs_nfsdstate.c +++ b/sys/fs/nfsserver/nfs_nfsdstate.c @@ -7001,14 +7001,25 @@ nfsrv_flexlayouterr(struct nfsrv_descript *nd, uint32_t *layp, int maxcnt, char devid[NFSX_V4DEVICEID]; tl = layp; - cnt = fxdr_unsigned(int, *tl++); + maxcnt -= NFSX_UNSIGNED; + if (maxcnt > 0) + cnt = fxdr_unsigned(int, *tl++); + else + cnt = 0; NFSD_DEBUG(4, "flexlayouterr cnt=%d\n", cnt); for (i = 0; i < cnt; i++) { + maxcnt -= NFSX_STATEID + 2 * NFSX_HYPER + + NFSX_UNSIGNED; + if (maxcnt <= 0) + break; /* Skip offset, length and stateid for now. */ tl += (4 + NFSX_STATEID / NFSX_UNSIGNED); errcnt = fxdr_unsigned(int, *tl++); NFSD_DEBUG(4, "flexlayouterr errcnt=%d\n", errcnt); for (j = 0; j < errcnt; j++) { + maxcnt -= NFSX_V4DEVICEID + 2 * NFSX_UNSIGNED; + if (maxcnt < 0) + break; NFSBCOPY(tl, devid, NFSX_V4DEVICEID); tl += (NFSX_V4DEVICEID / NFSX_UNSIGNED); stat = fxdr_unsigned(int, *tl++);