diff options
| author | Rick Macklem <rmacklem@FreeBSD.org> | 2021-12-09 22:15:48 +0000 |
|---|---|---|
| committer | Rick Macklem <rmacklem@FreeBSD.org> | 2021-12-23 01:42:24 +0000 |
| commit | 055b230b85cde066eeedd1417e336d2acf6281b9 (patch) | |
| tree | 3c68c2ccaa4eceb0276c113134efa1fbe2a08b09 | |
| parent | 55a60738e7af6f388a1ac733bfcaec6d6b70d538 (diff) | |
| download | src-055b230b85cde066eeedd1417e336d2acf6281b9.tar.gz src-055b230b85cde066eeedd1417e336d2acf6281b9.zip | |
nfscl: Sanity check the callback tag length
The sanity check for tag length in a callback request
was broken in two ways:
It checked for a negative value, but not a large positive
value.
It did not set taglen to -1, to indicate to the code that
it should not be used.
This patch fixes both of these issues.
PR: 260266
(cherry picked from commit d9931c25617d6625e280fda19bd9c2878e49c091)
| -rw-r--r-- | sys/fs/nfsclient/nfs_clstate.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/fs/nfsclient/nfs_clstate.c b/sys/fs/nfsclient/nfs_clstate.c index c7b9608da1ba..68e4d3f009bd 100644 --- a/sys/fs/nfsclient/nfs_clstate.c +++ b/sys/fs/nfsclient/nfs_clstate.c @@ -3422,8 +3422,9 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p) nfsrvd_rephead(nd); NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED); taglen = fxdr_unsigned(int, *tl); - if (taglen < 0) { + if (taglen < 0 || taglen > NFSV4_OPAQUELIMIT) { error = EBADRPC; + taglen = -1; goto nfsmout; } if (taglen <= NFSV4_SMALLSTR) |