rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()stable/13

svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough.  Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.

Add a runtime check which verifies that the copy won't overflow.

Approved by:	so
Security:	FreeBSD-SA-26:08.rpcsec_gss
Security:	CVE-2026-4747
Reported by:	Nicholas Carlini <npc@anthropic.com>
Reviewed by:	rmacklem
Fixes:		a9148abd9da5d

(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)

0 files changed, 0 insertions, 0 deletions