nfsd: Add a sanity check for Owner/OwnerGroup string length
Robert Morris reported that, if a client sends an absurdly large Owner/OwnerGroup string, the kernel malloc() for the large size string can block forever. This patch adds a sanity limit for Owner/OwnerGroup string length. Since the RFCs do not specify any limit and FreeBSD can handle a group name greater than 1Kbyte, the limit is set at a generous 10Kbytes. Reported by: rtm@lcs.mit.edu PR: 260546 MFC after: 2 weeks
This commit is contained in:
parent
f32bf50d43
commit
ef4edb70c9
@ -143,6 +143,13 @@
|
||||
|
||||
#define NFS_READDIRBLKSIZ DIRBLKSIZ /* Minimal nm_readdirsize */
|
||||
|
||||
/*
|
||||
* The NFSv4 RFCs do not define an upper limit on the length of Owner and
|
||||
* OwnerGroup strings. Since FreeBSD handles a group name > 1024bytes in
|
||||
* length, set a generous sanity limit of 10Kbytes.
|
||||
*/
|
||||
#define NFSV4_MAXOWNERGROUPLEN (10 * 1024)
|
||||
|
||||
/*
|
||||
* Oddballs
|
||||
*/
|
||||
|
@ -1843,7 +1843,7 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp,
|
||||
case NFSATTRBIT_OWNER:
|
||||
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
|
||||
j = fxdr_unsigned(int, *tl);
|
||||
if (j < 0) {
|
||||
if (j < 0 || j > NFSV4_MAXOWNERGROUPLEN) {
|
||||
error = NFSERR_BADXDR;
|
||||
goto nfsmout;
|
||||
}
|
||||
@ -1876,7 +1876,7 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp,
|
||||
case NFSATTRBIT_OWNERGROUP:
|
||||
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
|
||||
j = fxdr_unsigned(int, *tl);
|
||||
if (j < 0) {
|
||||
if (j < 0 || j > NFSV4_MAXOWNERGROUPLEN) {
|
||||
error = NFSERR_BADXDR;
|
||||
goto nfsmout;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user