Module Name: src Committed By: martin Date: Thu Mar 30 12:01:26 UTC 2023
Modified Files: src/sys/nfs [netbsd-8]: nfs_serv.c nfs_srvsubs.c nfsm_subs.h Log Message: Pull up following revision(s) (requested by riastradh in ticket #1810): sys/nfs/nfs_serv.c: revision 1.184 sys/nfs/nfs_srvsubs.c: revision 1.17 sys/nfs/nfsm_subs.h: revision 1.56 sys/nfs/nfsm_subs.h: revision 1.57 nfs: Use unsigned fhlen so we don't trip over negative values. nfs: Avoid integer overflow in nfs_namei bounds check. nfs: Use unsigned name lengths so we don't trip over negative ones. - nfsm_strsiz is only used with uint32_t in callers, but let's not leave it as a rake to step on. - nfsm_srvnamesiz is abused with signed s. The internal conversion to unsigned serves to reject both negative and too-large values in such callers. XXX Should make all callers use unsigned, rather than flipping back and forth between signed and unsigned for name lengths. nfs: Avoid free of uninitialized on bad name size in create, mknod. XXX These error branches are a nightmare and need to be more systematically cleaned up. Even if they are correct now, they are impossible to audit and extremely fragile in case anyone ever needs to make other changes to them. To generate a diff of this commit: cvs rdiff -u -r1.173 -r1.173.4.1 src/sys/nfs/nfs_serv.c cvs rdiff -u -r1.14 -r1.14.30.1 src/sys/nfs/nfs_srvsubs.c cvs rdiff -u -r1.53 -r1.53.22.1 src/sys/nfs/nfsm_subs.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/nfs/nfs_serv.c diff -u src/sys/nfs/nfs_serv.c:1.173 src/sys/nfs/nfs_serv.c:1.173.4.1 --- src/sys/nfs/nfs_serv.c:1.173 Wed Apr 26 03:02:49 2017 +++ src/sys/nfs/nfs_serv.c Thu Mar 30 12:01:25 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: nfs_serv.c,v 1.173 2017/04/26 03:02:49 riastradh Exp $ */ +/* $NetBSD: nfs_serv.c,v 1.173.4.1 2023/03/30 12:01:25 martin Exp $ */ /* * Copyright (c) 1989, 1993 @@ -55,7 +55,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: nfs_serv.c,v 1.173 2017/04/26 03:02:49 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nfs_serv.c,v 1.173.4.1 2023/03/30 12:01:25 martin Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -1638,10 +1638,10 @@ nfsmout: vput(nd.ni_dvp); if (nd.ni_vp) vput(nd.ni_vp); - } - if (nd.ni_pathbuf != NULL) { - pathbuf_destroy(nd.ni_pathbuf); - nd.ni_pathbuf = NULL; + if (nd.ni_pathbuf != NULL) { + pathbuf_destroy(nd.ni_pathbuf); + nd.ni_pathbuf = NULL; + } } return (error); } @@ -1792,10 +1792,10 @@ nfsmout: vput(nd.ni_dvp); if (nd.ni_vp) vput(nd.ni_vp); - } - if (nd.ni_pathbuf != NULL) { - pathbuf_destroy(nd.ni_pathbuf); - nd.ni_pathbuf = NULL; + if (nd.ni_pathbuf != NULL) { + pathbuf_destroy(nd.ni_pathbuf); + nd.ni_pathbuf = NULL; + } } if (dirp) vrele(dirp); Index: src/sys/nfs/nfs_srvsubs.c diff -u src/sys/nfs/nfs_srvsubs.c:1.14 src/sys/nfs/nfs_srvsubs.c:1.14.30.1 --- src/sys/nfs/nfs_srvsubs.c:1.14 Mon Nov 5 19:06:27 2012 +++ src/sys/nfs/nfs_srvsubs.c Thu Mar 30 12:01:26 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: nfs_srvsubs.c,v 1.14 2012/11/05 19:06:27 dholland Exp $ */ +/* $NetBSD: nfs_srvsubs.c,v 1.14.30.1 2023/03/30 12:01:26 martin Exp $ */ /* * Copyright (c) 1989, 1993 @@ -70,7 +70,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: nfs_srvsubs.c,v 1.14 2012/11/05 19:06:27 dholland Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nfs_srvsubs.c,v 1.14.30.1 2023/03/30 12:01:26 martin Exp $"); #include <sys/param.h> #include <sys/proc.h> @@ -129,7 +129,7 @@ nfs_namei(struct nameidata *ndp, nfsrvfh *retdirp = NULL; ndp->ni_pathbuf = NULL; - if ((len + 1) > NFS_MAXPATHLEN) + if (len > NFS_MAXPATHLEN - 1) return (ENAMETOOLONG); if (len == 0) return (EACCES); Index: src/sys/nfs/nfsm_subs.h diff -u src/sys/nfs/nfsm_subs.h:1.53 src/sys/nfs/nfsm_subs.h:1.53.22.1 --- src/sys/nfs/nfsm_subs.h:1.53 Sat Sep 14 22:29:08 2013 +++ src/sys/nfs/nfsm_subs.h Thu Mar 30 12:01:26 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: nfsm_subs.h,v 1.53 2013/09/14 22:29:08 martin Exp $ */ +/* $NetBSD: nfsm_subs.h,v 1.53.22.1 2023/03/30 12:01:26 martin Exp $ */ /* * Copyright (c) 1989, 1993 @@ -358,7 +358,7 @@ #define nfsm_strsiz(s,m) \ { nfsm_dissect(tl,uint32_t *,NFSX_UNSIGNED); \ - if (((s) = fxdr_unsigned(uint32_t,*tl)) > (m)) { \ + if ((uint32_t)((s) = fxdr_unsigned(uint32_t,*tl)) > (m)) { \ m_freem(mrep); \ error = EBADRPC; \ goto nfsmout; \ @@ -366,7 +366,8 @@ #define nfsm_srvnamesiz(s) \ { nfsm_dissect(tl,uint32_t *,NFSX_UNSIGNED); \ - if (((s) = fxdr_unsigned(uint32_t,*tl)) > NFS_MAXNAMLEN) \ + if ((uint32_t)((s) = fxdr_unsigned(uint32_t,*tl)) > \ + NFS_MAXNAMLEN) \ error = NFSERR_NAMETOL; \ if (error) \ nfsm_reply(0); \ @@ -472,20 +473,24 @@ } } #define nfsm_srvmtofh(nsfh) \ - { int fhlen = NFSX_V3FH; \ + { uint32_t fhlen = NFSX_V3FH; \ if (nfsd->nd_flag & ND_NFSV3) { \ - nfsm_dissect(tl, u_int32_t *, NFSX_UNSIGNED); \ - fhlen = fxdr_unsigned(int, *tl); \ + nfsm_dissect(tl, uint32_t *, NFSX_UNSIGNED); \ + fhlen = fxdr_unsigned(uint32_t, *tl); \ + CTASSERT(NFSX_V3FHMAX <= FHANDLE_SIZE_MAX); \ if (fhlen > NFSX_V3FHMAX || \ (fhlen < FHANDLE_SIZE_MIN && fhlen > 0)) { \ error = EBADRPC; \ nfsm_reply(0); \ } \ } else { \ + CTASSERT(NFSX_V2FH >= FHANDLE_SIZE_MIN); \ fhlen = NFSX_V2FH; \ } \ (nsfh)->nsfh_size = fhlen; \ if (fhlen != 0) { \ + KASSERT(fhlen >= FHANDLE_SIZE_MIN); \ + KASSERT(fhlen <= FHANDLE_SIZE_MAX); \ nfsm_dissect(tl, u_int32_t *, fhlen); \ memcpy(NFSRVFH_DATA(nsfh), tl, fhlen); \ } \