git: fd020f197d6a - main - nfsd: Sanity check the ACL attribute

Wed, 01 Dec 2021 13:59:12 -0800 

The branch main has been updated by rmacklem:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=fd020f197d6ac481d36171ea69fe555eb911d673

commit fd020f197d6ac481d36171ea69fe555eb911d673
Author:     Rick Macklem <[email protected]>
AuthorDate: 2021-12-01 21:55:17 +0000
Commit:     Rick Macklem <[email protected]>
CommitDate: 2021-12-01 21:55:17 +0000

    nfsd: Sanity check the ACL attribute
    
    When an ACL is presented to the NFSv4 server in
    Setattr or Verify, parsing of the ACL assumed a
    sane acecnt and sane sizes for the "who" strings.
    This patch adds sanity checks for these.
    
    The patch also fixes handling of an error
    return from nfsrv_dissectacl() for one broken
    case.
    
    Reported by:    [email protected]
    Tested by:      [email protected]
    PR:     260111
    MFC after:      2 weeks
---
 sys/fs/nfs/nfs_commonacl.c  |  6 +++++-
 sys/fs/nfs/nfs_commonsubs.c | 10 ++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/sys/fs/nfs/nfs_commonacl.c b/sys/fs/nfs/nfs_commonacl.c
index 99a67edc044d..19492675e731 100644
--- a/sys/fs/nfs/nfs_commonacl.c
+++ b/sys/fs/nfs/nfs_commonacl.c
@@ -58,7 +58,11 @@ nfsrv_dissectace(struct nfsrv_descript *nd, struct acl_entry 
*acep,
        flag = fxdr_unsigned(u_int32_t, *tl++);
        mask = fxdr_unsigned(u_int32_t, *tl++);
        len = fxdr_unsigned(int, *tl);
-       if (len < 0) {
+       /*
+        * The RFCs do not specify a limit to the length of the "who", but
+        * NFSV4_OPAQUELIMIT (1024) should be sufficient.
+        */
+       if (len < 0 || len > NFSV4_OPAQUELIMIT) {
                error = NFSERR_BADXDR;
                goto nfsmout;
        } else if (len == 0) {
diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
index 910f10eb1b4a..d882d248ef7f 100644
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@@ -1107,6 +1107,14 @@ nfsrv_dissectacl(struct nfsrv_descript *nd, NFSACL_T 
*aclp, int *aclerrp,
        NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
        aclsize = NFSX_UNSIGNED;
        acecnt = fxdr_unsigned(int, *tl);
+       /*
+        * The RFCs do not define a fixed limit to the number of ACEs in
+        * an ACL, but 10240 should be more than sufficient.
+        */
+       if (acecnt < 0 || acecnt > 10240) {
+               error = NFSERR_BADXDR;
+               goto nfsmout;
+       }
        if (acecnt > ACL_MAX_ENTRIES)
                aceerr = NFSERR_ATTRNOTSUPP;
        if (nfsrv_useacl == 0)
@@ -1492,6 +1500,8 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp,
                            } else {
                                error = nfsrv_dissectacl(nd, NULL, &aceerr,
                                    &cnt, p);
+                               if (error)
+                                   goto nfsmout;
                                *retcmpp = NFSERR_ATTRNOTSUPP;
                            }
                          }

Reply via email to