The branch releng/15.0 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=9c47506fc77b38963d4b3ebe16112cc0fa6f5437
commit 9c47506fc77b38963d4b3ebe16112cc0fa6f5437 Author: Rick Macklem <[email protected]> AuthorDate: 2025-10-27 14:35:27 +0000 Commit: Colin Percival <[email protected]> CommitDate: 2025-11-03 20:28:45 +0000 nfs_clrpcops.c: Add sanity checks for the slot cnts The reply to CreateSession includes the slot cnt for both fore and back slots. It should never be larger than the argument specified and the fore slot cnt should always be at least 1. Without this patch, the replied slot cnts were not being sanity checked. While here, replace 64 with NFSV4_SLOTS (which is 64). Approved by: re (cperciva) (cherry picked from commit 3053b2a3dcab6e05311c3b696bee4c9e5698d93a) (cherry picked from commit 14148591b951e60093afca50fe2497f21ee91950) --- sys/fs/nfsclient/nfs_clrpcops.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c index 4ec621de2eff..efc0c31fc589 100644 --- a/sys/fs/nfsclient/nfs_clrpcops.c +++ b/sys/fs/nfsclient/nfs_clrpcops.c @@ -5596,7 +5596,7 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep, } *tl++ = txdr_unsigned(4096); /* Max response size cached */ *tl++ = txdr_unsigned(20); /* Max operations */ - *tl++ = txdr_unsigned(64); /* Max slots */ + *tl++ = txdr_unsigned(NFSV4_SLOTS); /* Max slots */ *tl = 0; /* No rdma ird */ /* Fill in back channel attributes. */ @@ -5665,6 +5665,11 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep, sep->nfsess_maxcache = fxdr_unsigned(int, *tl++); tl++; sep->nfsess_foreslots = fxdr_unsigned(uint16_t, *tl++); + if (sep->nfsess_foreslots == 0) { + error = NFSERR_BADXDR; + goto nfsmout; + } else if (sep->nfsess_foreslots > NFSV4_SLOTS) + sep->nfsess_foreslots = NFSV4_SLOTS; NFSCL_DEBUG(4, "fore slots=%d\n", (int)sep->nfsess_foreslots); irdcnt = fxdr_unsigned(int, *tl); if (irdcnt < 0 || irdcnt > 1) { @@ -5678,6 +5683,8 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsclsession *sep, NFSM_DISSECT(tl, uint32_t *, 7 * NFSX_UNSIGNED); tl += 5; sep->nfsess_backslots = fxdr_unsigned(uint16_t, *tl); + if (sep->nfsess_backslots > NFSV4_CBSLOTS) + sep->nfsess_backslots = NFSV4_CBSLOTS; NFSCL_DEBUG(4, "back slots=%d\n", (int)sep->nfsess_backslots); } error = nd->nd_repstat;
