diff options
| author | Rick Macklem <rmacklem@FreeBSD.org> | 2021-12-13 23:21:31 +0000 |
|---|---|---|
| committer | Rick Macklem <rmacklem@FreeBSD.org> | 2021-12-27 00:53:50 +0000 |
| commit | 030acb63d9a86b9a7bd15b06e60699abfa8a0a2b (patch) | |
| tree | 02a58f8452044a0b476348280cff16ce3d46e3bc | |
| parent | 2520c9ba7e34abfc4717123b4f8d8d2460cd4df1 (diff) | |
| download | src-030acb63d9a86b9a7bd15b06e60699abfa8a0a2b.tar.gz src-030acb63d9a86b9a7bd15b06e60699abfa8a0a2b.zip | |
nfsd: Limit parsing of layout errors to maxcnt bytes
This patch decrements maxcnt by the appropriate
number of bytes during parsing and checks to see
if there is data remaining. If not, it just returns
from nfsrv_flexlayouterr() without further processing.
This prevents the tl pointer from running off the end
of the error data pointed at by layp, if there are
flaws in the data.
PR: 260293
(cherry picked from commit c302f889e21f73746a3b0917df5246e639df1481)
| -rw-r--r-- | sys/fs/nfsserver/nfs_nfsdstate.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/sys/fs/nfsserver/nfs_nfsdstate.c b/sys/fs/nfsserver/nfs_nfsdstate.c index 67f615ecea7c..1d0884683904 100644 --- a/sys/fs/nfsserver/nfs_nfsdstate.c +++ b/sys/fs/nfsserver/nfs_nfsdstate.c @@ -7001,14 +7001,25 @@ nfsrv_flexlayouterr(struct nfsrv_descript *nd, uint32_t *layp, int maxcnt, char devid[NFSX_V4DEVICEID]; tl = layp; - cnt = fxdr_unsigned(int, *tl++); + maxcnt -= NFSX_UNSIGNED; + if (maxcnt > 0) + cnt = fxdr_unsigned(int, *tl++); + else + cnt = 0; NFSD_DEBUG(4, "flexlayouterr cnt=%d\n", cnt); for (i = 0; i < cnt; i++) { + maxcnt -= NFSX_STATEID + 2 * NFSX_HYPER + + NFSX_UNSIGNED; + if (maxcnt <= 0) + break; /* Skip offset, length and stateid for now. */ tl += (4 + NFSX_STATEID / NFSX_UNSIGNED); errcnt = fxdr_unsigned(int, *tl++); NFSD_DEBUG(4, "flexlayouterr errcnt=%d\n", errcnt); for (j = 0; j < errcnt; j++) { + maxcnt -= NFSX_V4DEVICEID + 2 * NFSX_UNSIGNED; + if (maxcnt < 0) + break; NFSBCOPY(tl, devid, NFSX_V4DEVICEID); tl += (NFSX_V4DEVICEID / NFSX_UNSIGNED); stat = fxdr_unsigned(int, *tl++); |