The branch releng/15.0 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=e5fc5bc53fb83caea92ec9856aa4638ce7a97b46
commit e5fc5bc53fb83caea92ec9856aa4638ce7a97b46 Author: Rick Macklem <[email protected]> AuthorDate: 2025-10-28 14:44:14 +0000 Commit: Colin Percival <[email protected]> CommitDate: 2025-11-03 20:28:56 +0000 nfs_commonsubs.c: Add a sanity check for nid_ngroup The nfsuserd(8) daemon passes user credentials (uid + gids) into the kernel for users and groups identified by name (received from a NFSv4 server). This patch add a sanity check for the number of groups (nid_ngroup) passed in. It's only purpose is to protect against a bogus nfsuserd(8) running in a jail. Approved by: re (cperciva) (cherry picked from commit 4672adcea4cf3c0c626d186f1f41c69552d915f1) (cherry picked from commit 83a0732a4cfe9f2846e144b39ebe517cbe395fac) --- sys/fs/nfs/nfs_commonsubs.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c index 7f5b29ca2085..dd3b8b4f1708 100644 --- a/sys/fs/nfs/nfs_commonsubs.c +++ b/sys/fs/nfs/nfs_commonsubs.c @@ -4165,10 +4165,15 @@ nfssvc_idname(struct nfsd_idargs *nidp) nidp->nid_namelen); if (error == 0 && nidp->nid_ngroup > 0 && (nidp->nid_flag & NFSID_ADDUID) != 0) { - grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP, - M_WAITOK); - error = copyin(nidp->nid_grps, grps, - sizeof(gid_t) * nidp->nid_ngroup); + grps = NULL; + if (nidp->nid_ngroup > NGROUPS_MAX) + error = EINVAL; + if (error == 0) { + grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP, + M_WAITOK); + error = copyin(nidp->nid_grps, grps, + sizeof(gid_t) * nidp->nid_ngroup); + } if (error == 0) { /* * Create a credential just like svc_getcred(),
