nfsd: Sanity check the Layouttype count

Reported by: rtm@lcs.mit.edu Tested by: rtm@lcs.mit.edu PR: 260155 MFC after: 2 weeks
2021-12-04 14:18:48 -08:00 · 2021-12-04 14:18:48 -08:00 · 480be96e1e
commit 480be96e1e
parent 1aa249c935
1 changed files with 9 additions and 0 deletions
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@ -2186,6 +2186,15 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp,
 			NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
 			attrsum += NFSX_UNSIGNED;
 			i = fxdr_unsigned(int, *tl);
+			/*
+			 * The RFCs do not define an upper limit for the
+			 * number of layout types, but 32 should be more
+			 * than enough.
+			 */
+			if (i < 0 || i > 32) {
+				error = NFSERR_BADXDR;
+				goto nfsmout;
+			}
 			if (i > 0) {
 				NFSM_DISSECT(tl, u_int32_t *, i *
 				    NFSX_UNSIGNED);