nfsd: Sanity check the ACL attribute
When an ACL is presented to the NFSv4 server in Setattr or Verify, parsing of the ACL assumed a sane acecnt and sane sizes for the "who" strings. This patch adds sanity checks for these. The patch also fixes handling of an error return from nfsrv_dissectacl() for one broken case. Reported by: rtm@lcs.mit.edu Tested by: rtm@lcs.mit.edu PR: 260111 MFC after: 2 weeks
This commit is contained in:
parent
33d0be8a92
commit
fd020f197d
@ -58,7 +58,11 @@ nfsrv_dissectace(struct nfsrv_descript *nd, struct acl_entry *acep,
|
||||
flag = fxdr_unsigned(u_int32_t, *tl++);
|
||||
mask = fxdr_unsigned(u_int32_t, *tl++);
|
||||
len = fxdr_unsigned(int, *tl);
|
||||
if (len < 0) {
|
||||
/*
|
||||
* The RFCs do not specify a limit to the length of the "who", but
|
||||
* NFSV4_OPAQUELIMIT (1024) should be sufficient.
|
||||
*/
|
||||
if (len < 0 || len > NFSV4_OPAQUELIMIT) {
|
||||
error = NFSERR_BADXDR;
|
||||
goto nfsmout;
|
||||
} else if (len == 0) {
|
||||
|
@ -1107,6 +1107,14 @@ nfsrv_dissectacl(struct nfsrv_descript *nd, NFSACL_T *aclp, int *aclerrp,
|
||||
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
|
||||
aclsize = NFSX_UNSIGNED;
|
||||
acecnt = fxdr_unsigned(int, *tl);
|
||||
/*
|
||||
* The RFCs do not define a fixed limit to the number of ACEs in
|
||||
* an ACL, but 10240 should be more than sufficient.
|
||||
*/
|
||||
if (acecnt < 0 || acecnt > 10240) {
|
||||
error = NFSERR_BADXDR;
|
||||
goto nfsmout;
|
||||
}
|
||||
if (acecnt > ACL_MAX_ENTRIES)
|
||||
aceerr = NFSERR_ATTRNOTSUPP;
|
||||
if (nfsrv_useacl == 0)
|
||||
@ -1492,6 +1500,8 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp,
|
||||
} else {
|
||||
error = nfsrv_dissectacl(nd, NULL, &aceerr,
|
||||
&cnt, p);
|
||||
if (error)
|
||||
goto nfsmout;
|
||||
*retcmpp = NFSERR_ATTRNOTSUPP;
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user