From owner-svn-src-all@freebsd.org Fri May 6 21:19:29 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B251BB2D7B0; Fri, 6 May 2016 21:19:29 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 82E061734; Fri, 6 May 2016 21:19:29 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u46LJSiv012862; Fri, 6 May 2016 21:19:28 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u46LJSww012861; Fri, 6 May 2016 21:19:28 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201605062119.u46LJSww012861@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Fri, 6 May 2016 21:19:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r299199 - head/sys/fs/nfs X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2016 21:19:29 -0000 Author: emaste Date: Fri May 6 21:19:28 2016 New Revision: 299199 URL: https://svnweb.freebsd.org/changeset/base/299199 Log: Add nid_namelen bounds check to nfssvc system call This is only allowed by root and only used by the nfs daemon, which should not provide an incorrect value. However, it's still good practice to validate data provided by userland. PR: 206626 Reported by: CTurt Reviewed by: rmacklem MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D6201 Modified: head/sys/fs/nfs/nfs_commonsubs.c Modified: head/sys/fs/nfs/nfs_commonsubs.c ============================================================================== --- head/sys/fs/nfs/nfs_commonsubs.c Fri May 6 20:57:41 2016 (r299198) +++ head/sys/fs/nfs/nfs_commonsubs.c Fri May 6 21:19:28 2016 (r299199) @@ -3174,6 +3174,10 @@ nfssvc_idname(struct nfsd_idargs *nidp) static int onethread = 0; static time_t lasttime = 0; + if (nidp->nid_namelen <= 0 || nidp->nid_namelen > MAXHOSTNAMELEN) { + error = EINVAL; + goto out; + } if (nidp->nid_flag & NFSID_INITIALIZE) { cp = malloc(nidp->nid_namelen + 1, M_NFSSTRING, M_WAITOK); error = copyin(CAST_USER_ADDR_T(nidp->nid_name), cp,