upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

nfsd: Limit parsing of layout errors to maxcnt bytes

Browse source 
This patch decrements maxcnt by the appropriate
number of bytes during parsing and checks to see
if there is data remaining.  If not, it just returns
from nfsrv_flexlayouterr() without further processing.
This prevents the tl pointer from running off the end
of the error data pointed at by layp, if there are
flaws in the data.

PR:	260293

(cherry picked from commit c302f889e2)
This commit is contained in:
Rick Macklem 2021-12-13 15:21:31 -08:00
parent 2520c9ba7e
commit 030acb63d9
1 changed files with 12 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
sys/fs/nfsserver/nfs_nfsdstate.c
View file

@ -7001,14 +7001,25 @@ nfsrv_flexlayouterr(struct nfsrv_descript *nd, uint32_t *layp, int maxcnt,
char devid[NFSX_V4DEVICEID];
tl = layp;
cnt = fxdr_unsigned(int, *tl++);
maxcnt -= NFSX_UNSIGNED;
if (maxcnt > 0)
cnt = fxdr_unsigned(int, *tl++);
else
cnt = 0;
NFSD_DEBUG(4, "flexlayouterr cnt=%d\n", cnt);
for (i = 0; i < cnt; i++) {
maxcnt -= NFSX_STATEID + 2 * NFSX_HYPER +
NFSX_UNSIGNED;
if (maxcnt <= 0)
break;
/* Skip offset, length and stateid for now. */
tl += (4 + NFSX_STATEID / NFSX_UNSIGNED);
errcnt = fxdr_unsigned(int, *tl++);
NFSD_DEBUG(4, "flexlayouterr errcnt=%d\n", errcnt);
for (j = 0; j < errcnt; j++) {
maxcnt -= NFSX_V4DEVICEID + 2 * NFSX_UNSIGNED;
if (maxcnt < 0)
break;
NFSBCOPY(tl, devid, NFSX_V4DEVICEID);
tl += (NFSX_V4DEVICEID / NFSX_UNSIGNED);
stat = fxdr_unsigned(int, *tl++);