Commit b5c57793 authored by Rick Macklem's avatar Rick Macklem
Browse files

nfsd: Sanity check the ACL attribute

When an ACL is presented to the NFSv4 server in
Setattr or Verify, parsing of the ACL assumed a
sane acecnt and sane sizes for the "who" strings.
This patch adds sanity checks for these.

The patch also fixes handling of an error
return from nfsrv_dissectacl() for one broken
case.

PR:	260111

(cherry picked from commit fd020f19)
parent a85d71e4
......@@ -58,7 +58,11 @@ nfsrv_dissectace(struct nfsrv_descript *nd, struct acl_entry *acep,
flag = fxdr_unsigned(u_int32_t, *tl++);
mask = fxdr_unsigned(u_int32_t, *tl++);
len = fxdr_unsigned(int, *tl);
if (len < 0) {
/*
* The RFCs do not specify a limit to the length of the "who", but
* NFSV4_OPAQUELIMIT (1024) should be sufficient.
*/
if (len < 0 || len > NFSV4_OPAQUELIMIT) {
error = NFSERR_BADXDR;
goto nfsmout;
} else if (len == 0) {
......
......@@ -1085,6 +1085,14 @@ nfsrv_dissectacl(struct nfsrv_descript *nd, NFSACL_T *aclp, int *aclerrp,
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
aclsize = NFSX_UNSIGNED;
acecnt = fxdr_unsigned(int, *tl);
/*
* The RFCs do not define a fixed limit to the number of ACEs in
* an ACL, but 10240 should be more than sufficient.
*/
if (acecnt < 0 || acecnt > 10240) {
error = NFSERR_BADXDR;
goto nfsmout;
}
if (acecnt > ACL_MAX_ENTRIES)
aceerr = NFSERR_ATTRNOTSUPP;
if (nfsrv_useacl == 0)
......@@ -1468,6 +1476,8 @@ nfsv4_loadattr(struct nfsrv_descript *nd, vnode_t vp,
} else {
error = nfsrv_dissectacl(nd, NULL, &aceerr,
&cnt, p);
if (error)
goto nfsmout;
*retcmpp = NFSERR_ATTRNOTSUPP;
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment