d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nfscl: Sanity check the callback tag length

Browse Source 
The sanity check for tag length in a callback request
was broken in two ways:

It checked for a negative value, but not a large positive
value.

It did not set taglen to -1, to indicate to the code that
it should not be used.

This patch fixes both of these issues.

Reported by:	rtm@lcs.mit.edu
Tested by:	rtm@lcs.mit.edu
PR:	260266
MFC after:	2 weeks
This commit is contained in:
Rick Macklem 2021-12-09 14:15:48 -08:00
parent 0f74021fb6
commit d9931c2561
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sys/fs/nfsclient/nfs_clstate.c
View File

@ -3531,8 +3531,9 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p)
nfsrvd_rephead(nd);
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
taglen = fxdr_unsigned(int, *tl);
if (taglen < 0) {
if (taglen < 0 || taglen > NFSV4_OPAQUELIMIT) {
error = EBADRPC;
taglen = -1;
goto nfsmout;
}
if (taglen <= NFSV4_SMALLSTR)