The branch stable/15 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=c69e0be70f4693940873f16e5019bd229a410369
commit c69e0be70f4693940873f16e5019bd229a410369 Author: Rick Macklem <[email protected]> AuthorDate: 2025-10-27 14:24:47 +0000 Commit: Rick Macklem <[email protected]> CommitDate: 2025-10-30 00:57:59 +0000 nfs_nfsdserv.c: Add a sanity check for layout commit cnt If a client were to send a LayoutCommit (seldom used and only for a pNFS server) with a bogus cnt, there could be problems with a malloc() call that uses it. This patch adds a sanity check for the cnt. Note that RFC8881 does not specify any upper bound on the cnt. (cherry picked from commit 1a679fb907962843f01b103ec672136a8f8d8edb) --- sys/fs/nfsserver/nfs_nfsdserv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c index a881968b03be..9dda65d5cbcf 100644 --- a/sys/fs/nfsserver/nfs_nfsdserv.c +++ b/sys/fs/nfsserver/nfs_nfsdserv.c @@ -5128,6 +5128,11 @@ nfsrvd_layoutcommit(struct nfsrv_descript *nd, __unused int isdgram, NFSM_DISSECT(tl, uint32_t *, 2 * NFSX_UNSIGNED); layouttype = fxdr_unsigned(int, *tl++); maxcnt = fxdr_unsigned(int, *tl); + /* There is no limit in the RFC, so use 1000 as a sanity limit. */ + if (maxcnt < 0 || maxcnt > 1000) { + error = NFSERR_BADXDR; + goto nfsmout; + } if (maxcnt > 0) { layp = malloc(maxcnt + 1, M_TEMP, M_WAITOK); error = nfsrv_mtostr(nd, layp, maxcnt);
