aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRick Macklem <rmacklem@FreeBSD.org>2021-11-26 23:56:29 +0000
committerRick Macklem <rmacklem@FreeBSD.org>2021-11-26 23:56:29 +0000
commit5b430a132330bd4a4ea37780807947f3800d009e (patch)
treee6af9399de127544abbd12954d71de32d9835634
parentbdd57cbb1bdafcf2ebffa73c52f0fffc9410ea7b (diff)
downloadsrc-5b430a132330bd4a4ea37780807947f3800d009e.tar.gz
src-5b430a132330bd4a4ea37780807947f3800d009e.zip
nfsd: Sanity check the len argument for ListXattr
The check for the original len being >= retlen needs to be done before the "if (nd->nd_repstat == 0)" code, so that it can be reported as too small. Reported by: rtm@lcs.mit.edu Tested by: rtm@lcs.mit.edu PR: 260046 MFC after: 2 weeks
Diffstat
-rw-r--r--sys/fs/nfsserver/nfs_nfsdserv.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c
index 80c492251ce8..4c5dade2c278 100644
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@@ -6095,10 +6095,12 @@ nfsrvd_listxattr(struct nfsrv_descript *nd, __unused int isdgram,
if (cookie2 < cookie)
nd->nd_repstat = NFSERR_BADXDR;
}
+ retlen = NFSX_HYPER + 2 * NFSX_UNSIGNED;
+ if (nd->nd_repstat == 0 && len2 < retlen)
+ nd->nd_repstat = NFSERR_TOOSMALL;
if (nd->nd_repstat == 0) {
/* Now copy the entries out. */
- retlen = NFSX_HYPER + 2 * NFSX_UNSIGNED;
- if (len == 0 && retlen <= len2) {
+ if (len == 0) {
/* The cookie was at eof. */
NFSM_BUILD(tl, uint32_t *, NFSX_HYPER + 2 *
NFSX_UNSIGNED);
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-03 07:20:10 +0000