Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-9]: src/sys/nfs Pull up following revision(s) (requested by riast...
details: https://anonhg.NetBSD.org/src/rev/e2b5d4a66ddf
branches: netbsd-9
changeset: 374076:e2b5d4a66ddf
user: martin <martin%NetBSD.org@localhost>
date: Thu Mar 30 11:59:24 2023 +0000
description:
Pull up following revision(s) (requested by riastradh in ticket #1617):
sys/nfs/nfs_serv.c: revision 1.184
sys/nfs/nfs_srvsubs.c: revision 1.17
sys/nfs/nfsm_subs.h: revision 1.56
sys/nfs/nfsm_subs.h: revision 1.57
nfs: Use unsigned fhlen so we don't trip over negative values.
nfs: Avoid integer overflow in nfs_namei bounds check.
nfs: Use unsigned name lengths so we don't trip over negative ones.
- nfsm_strsiz is only used with uint32_t in callers, but let's not
leave it as a rake to step on.
- nfsm_srvnamesiz is abused with signed s. The internal conversion
to unsigned serves to reject both negative and too-large values in
such callers.
XXX Should make all callers use unsigned, rather than flipping back
and forth between signed and unsigned for name lengths.
nfs: Avoid free of uninitialized on bad name size in create, mknod.
XXX These error branches are a nightmare and need to be more
systematically cleaned up. Even if they are correct now, they are
impossible to audit and extremely fragile in case anyone ever needs
to make other changes to them.
diffstat:
sys/nfs/nfs_serv.c | 20 ++++++++++----------
sys/nfs/nfs_srvsubs.c | 6 +++---
sys/nfs/nfsm_subs.h | 17 +++++++++++------
3 files changed, 24 insertions(+), 19 deletions(-)
diffs (131 lines):
diff -r afb5e1a6c7b2 -r e2b5d4a66ddf sys/nfs/nfs_serv.c
--- a/sys/nfs/nfs_serv.c Thu Mar 30 11:51:03 2023 +0000
+++ b/sys/nfs/nfs_serv.c Thu Mar 30 11:59:24 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: nfs_serv.c,v 1.177 2019/02/20 10:05:20 hannken Exp $ */
+/* $NetBSD: nfs_serv.c,v 1.177.4.1 2023/03/30 11:59:24 martin Exp $ */
/*
* Copyright (c) 1989, 1993
@@ -55,7 +55,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: nfs_serv.c,v 1.177 2019/02/20 10:05:20 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nfs_serv.c,v 1.177.4.1 2023/03/30 11:59:24 martin Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -1643,10 +1643,10 @@ nfsmout:
vput(nd.ni_dvp);
if (nd.ni_vp)
vput(nd.ni_vp);
- }
- if (nd.ni_pathbuf != NULL) {
- pathbuf_destroy(nd.ni_pathbuf);
- nd.ni_pathbuf = NULL;
+ if (nd.ni_pathbuf != NULL) {
+ pathbuf_destroy(nd.ni_pathbuf);
+ nd.ni_pathbuf = NULL;
+ }
}
return (error);
}
@@ -1797,10 +1797,10 @@ nfsmout:
vput(nd.ni_dvp);
if (nd.ni_vp)
vput(nd.ni_vp);
- }
- if (nd.ni_pathbuf != NULL) {
- pathbuf_destroy(nd.ni_pathbuf);
- nd.ni_pathbuf = NULL;
+ if (nd.ni_pathbuf != NULL) {
+ pathbuf_destroy(nd.ni_pathbuf);
+ nd.ni_pathbuf = NULL;
+ }
}
if (dirp)
vrele(dirp);
diff -r afb5e1a6c7b2 -r e2b5d4a66ddf sys/nfs/nfs_srvsubs.c
--- a/sys/nfs/nfs_srvsubs.c Thu Mar 30 11:51:03 2023 +0000
+++ b/sys/nfs/nfs_srvsubs.c Thu Mar 30 11:59:24 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: nfs_srvsubs.c,v 1.14 2012/11/05 19:06:27 dholland Exp $ */
+/* $NetBSD: nfs_srvsubs.c,v 1.14.42.1 2023/03/30 11:59:24 martin Exp $ */
/*
* Copyright (c) 1989, 1993
@@ -70,7 +70,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: nfs_srvsubs.c,v 1.14 2012/11/05 19:06:27 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nfs_srvsubs.c,v 1.14.42.1 2023/03/30 11:59:24 martin Exp $");
#include <sys/param.h>
#include <sys/proc.h>
@@ -129,7 +129,7 @@ nfs_namei(struct nameidata *ndp, nfsrvfh
*retdirp = NULL;
ndp->ni_pathbuf = NULL;
- if ((len + 1) > NFS_MAXPATHLEN)
+ if (len > NFS_MAXPATHLEN - 1)
return (ENAMETOOLONG);
if (len == 0)
return (EACCES);
diff -r afb5e1a6c7b2 -r e2b5d4a66ddf sys/nfs/nfsm_subs.h
--- a/sys/nfs/nfsm_subs.h Thu Mar 30 11:51:03 2023 +0000
+++ b/sys/nfs/nfsm_subs.h Thu Mar 30 11:59:24 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: nfsm_subs.h,v 1.53 2013/09/14 22:29:08 martin Exp $ */
+/* $NetBSD: nfsm_subs.h,v 1.53.34.1 2023/03/30 11:59:24 martin Exp $ */
/*
* Copyright (c) 1989, 1993
@@ -358,7 +358,7 @@
#define nfsm_strsiz(s,m) \
{ nfsm_dissect(tl,uint32_t *,NFSX_UNSIGNED); \
- if (((s) = fxdr_unsigned(uint32_t,*tl)) > (m)) { \
+ if ((uint32_t)((s) = fxdr_unsigned(uint32_t,*tl)) > (m)) { \
m_freem(mrep); \
error = EBADRPC; \
goto nfsmout; \
@@ -366,7 +366,8 @@
#define nfsm_srvnamesiz(s) \
{ nfsm_dissect(tl,uint32_t *,NFSX_UNSIGNED); \
- if (((s) = fxdr_unsigned(uint32_t,*tl)) > NFS_MAXNAMLEN) \
+ if ((uint32_t)((s) = fxdr_unsigned(uint32_t,*tl)) > \
+ NFS_MAXNAMLEN) \
error = NFSERR_NAMETOL; \
if (error) \
nfsm_reply(0); \
@@ -472,20 +473,24 @@
} }
#define nfsm_srvmtofh(nsfh) \
- { int fhlen = NFSX_V3FH; \
+ { uint32_t fhlen = NFSX_V3FH; \
if (nfsd->nd_flag & ND_NFSV3) { \
- nfsm_dissect(tl, u_int32_t *, NFSX_UNSIGNED); \
- fhlen = fxdr_unsigned(int, *tl); \
+ nfsm_dissect(tl, uint32_t *, NFSX_UNSIGNED); \
+ fhlen = fxdr_unsigned(uint32_t, *tl); \
+ CTASSERT(NFSX_V3FHMAX <= FHANDLE_SIZE_MAX); \
if (fhlen > NFSX_V3FHMAX || \
(fhlen < FHANDLE_SIZE_MIN && fhlen > 0)) { \
error = EBADRPC; \
nfsm_reply(0); \
} \
} else { \
+ CTASSERT(NFSX_V2FH >= FHANDLE_SIZE_MIN); \
fhlen = NFSX_V2FH; \
} \
(nsfh)->nsfh_size = fhlen; \
if (fhlen != 0) { \
+ KASSERT(fhlen >= FHANDLE_SIZE_MIN); \
+ KASSERT(fhlen <= FHANDLE_SIZE_MAX); \
nfsm_dissect(tl, u_int32_t *, fhlen); \
memcpy(NFSRVFH_DATA(nsfh), tl, fhlen); \
} \
Home |
Main Index |
Thread Index |
Old Index