https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260111
Rick Macklem <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open Assignee|[email protected] |[email protected] --- Comment #1 from Rick Macklem <[email protected]> --- Created attachment 229822 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=229822&action=edit Sanity check the acecnt and who size, plus fix a nfsv4_dissectacl() error case This patch should fix the crash, plus a couple of other things. It... - Adds an if (error) check for the nfsrv_dissectacl() call that didn't have it to avoid the nfsm_advance() call at the end of nfsv4_loadattr(), as noted by Robert. - Adds a sanity check for the acecnt. (Checking for negative was the minimal check needed, but I also included an upper bound.) (As an aside, I should probably have made most of these count variables uint32_t instead of int, but that was 20years ago.) - Add a sanity check on the size of the "who" string, since a data buffer for it is malloc()d. Maybe Robert can check to see this patch fixes the crash for him? -- You are receiving this mail because: You are the assignee for the bug.
