d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add nid_namelen bounds check to nfssvc system call

Browse Source 
This is only allowed by root and only used by the nfs daemon, which
should not provide an incorrect value. However, it's still good
practice to validate data provided by userland.

PR:		206626
Reported by:	CTurt <cturt@hardenedbsd.org>
Reviewed by:	rmacklem
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D6201
This commit is contained in:
Ed Maste 2016-05-06 21:19:28 +00:00
parent 6247277a02
commit 8edac6eee6
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=299199
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/fs/nfs/nfs_commonsubs.c
View File

@ -3174,6 +3174,10 @@ nfssvc_idname(struct nfsd_idargs *nidp)
static int onethread = 0;
static time_t lasttime = 0;
if (nidp->nid_namelen <= 0 || nidp->nid_namelen > MAXHOSTNAMELEN) {
error = EINVAL;
goto out;
}
if (nidp->nid_flag & NFSID_INITIALIZE) {
cp = malloc(nidp->nid_namelen + 1, M_NFSSTRING, M_WAITOK);
error = copyin(CAST_USER_ADDR_T(nidp->nid_name), cp,