From 5604e100533a139fbfdc4aa09e753777ef86db8a Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Wed, 22 Mar 2023 16:54:22 +0000 Subject: [PATCH 1/4] nfs: Use unsigned fhlen so we don't trip over negative values. XXX pullup-8 XXX pullup-9 XXX pullup-10 --- sys/nfs/nfsm_subs.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/sys/nfs/nfsm_subs.h b/sys/nfs/nfsm_subs.h index 2a12fe0263bd..0b668be0104e 100644 --- a/sys/nfs/nfsm_subs.h +++ b/sys/nfs/nfsm_subs.h @@ -480,20 +480,24 @@ } } #define nfsm_srvmtofh(nsfh) \ - { int fhlen = NFSX_V3FH; \ + { uint32_t fhlen = NFSX_V3FH; \ if (nfsd->nd_flag & ND_NFSV3) { \ - nfsm_dissect(tl, u_int32_t *, NFSX_UNSIGNED); \ - fhlen = fxdr_unsigned(int, *tl); \ + nfsm_dissect(tl, uint32_t *, NFSX_UNSIGNED); \ + fhlen = fxdr_unsigned(uint32_t, *tl); \ + CTASSERT(NFSX_V3FHMAX <= FHANDLE_SIZE_MAX); \ if (fhlen > NFSX_V3FHMAX || \ (fhlen < FHANDLE_SIZE_MIN && fhlen > 0)) { \ error = EBADRPC; \ nfsm_reply(0); \ } \ } else { \ + CTASSERT(NFSX_V2FH >= FHANDLE_SIZE_MIN); \ fhlen = NFSX_V2FH; \ } \ (nsfh)->nsfh_size = fhlen; \ if (fhlen != 0) { \ + KASSERT(fhlen >= FHANDLE_SIZE_MIN); \ + KASSERT(fhlen <= FHANDLE_SIZE_MAX); \ nfsm_dissect(tl, u_int32_t *, fhlen); \ memcpy(NFSRVFH_DATA(nsfh), tl, fhlen); \ } \ From 7baa2182277bd4a6a7439b62366195bfa376be98 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Wed, 22 Mar 2023 17:10:48 +0000 Subject: [PATCH 2/4] nfs: Avoid integer overflow in nfs_namei bounds check. XXX pullup-8 XXX pullup-9 XXX pullup-10 --- sys/nfs/nfs_srvsubs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/nfs/nfs_srvsubs.c b/sys/nfs/nfs_srvsubs.c index 2d3c2f3b31a8..743777a26356 100644 --- a/sys/nfs/nfs_srvsubs.c +++ b/sys/nfs/nfs_srvsubs.c @@ -129,7 +129,7 @@ nfs_namei(struct nameidata *ndp, nfsrvfh_t *nsfh, uint32_t len, struct nfssvc_so *retdirp = NULL; ndp->ni_pathbuf = NULL; - if ((len + 1) > NFS_MAXPATHLEN) + if (len > NFS_MAXPATHLEN - 1) return (ENAMETOOLONG); if (len == 0) return (EACCES); From 341b6a82414b1ecfd2d7df801a7ff7612acdf817 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Wed, 22 Mar 2023 17:14:53 +0000 Subject: [PATCH 3/4] nfs: Use unsigned name lengths so we don't trip over negative ones. - nfsm_strsiz is only used with uint32_t in callers, but let's not leave it as a rake to step on. - nfsm_srvnamesiz is abused with signed s. The internal conversion to unsigned serves to reject both negative and too-large values in such callers. XXX Should make all callers use unsigned, rather than flipping back and forth between signed and unsigned for name lengths. XXX pullup-8 XXX pullup-9 XXX pullup-10 --- sys/nfs/nfsm_subs.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/nfs/nfsm_subs.h b/sys/nfs/nfsm_subs.h index 0b668be0104e..217271c853fc 100644 --- a/sys/nfs/nfsm_subs.h +++ b/sys/nfs/nfsm_subs.h @@ -366,7 +366,7 @@ #define nfsm_strsiz(s,m) \ { nfsm_dissect(tl,uint32_t *,NFSX_UNSIGNED); \ - if (((s) = fxdr_unsigned(uint32_t,*tl)) > (m)) { \ + if ((uint32_t)((s) = fxdr_unsigned(uint32_t,*tl)) > (m)) { \ m_freem(mrep); \ error = EBADRPC; \ goto nfsmout; \ @@ -374,7 +374,8 @@ #define nfsm_srvnamesiz(s) \ { nfsm_dissect(tl,uint32_t *,NFSX_UNSIGNED); \ - if (((s) = fxdr_unsigned(uint32_t,*tl)) > NFS_MAXNAMLEN) \ + if ((uint32_t)((s) = fxdr_unsigned(uint32_t,*tl)) > \ + NFS_MAXNAMLEN) \ error = NFSERR_NAMETOL; \ if (error) \ nfsm_reply(0); \ From ce01df42d9bd413e51d70aa42f6312dd499f50b9 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Wed, 22 Mar 2023 21:12:42 +0000 Subject: [PATCH 4/4] nfs: Avoid free of uninitialized on bad name size in create, mknod. XXX These error branches are a nightmare and need to be more systematically cleaned up. Even if they are correct now, they are impossible to audit and extremely fragile in case anyone ever needs to make other changes to them. XXX pullup-8 XXX pullup-9 XXX pullup-10 --- sys/nfs/nfs_serv.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/sys/nfs/nfs_serv.c b/sys/nfs/nfs_serv.c index 61d7e70287ea..e0bac787f69c 100644 --- a/sys/nfs/nfs_serv.c +++ b/sys/nfs/nfs_serv.c @@ -1648,10 +1648,10 @@ nfsmout: vput(nd.ni_dvp); if (nd.ni_vp) vput(nd.ni_vp); - } - if (nd.ni_pathbuf != NULL) { - pathbuf_destroy(nd.ni_pathbuf); - nd.ni_pathbuf = NULL; + if (nd.ni_pathbuf != NULL) { + pathbuf_destroy(nd.ni_pathbuf); + nd.ni_pathbuf = NULL; + } } return (error); } @@ -1801,10 +1801,10 @@ nfsmout: vput(nd.ni_dvp); if (nd.ni_vp) vput(nd.ni_vp); - } - if (nd.ni_pathbuf != NULL) { - pathbuf_destroy(nd.ni_pathbuf); - nd.ni_pathbuf = NULL; + if (nd.ni_pathbuf != NULL) { + pathbuf_destroy(nd.ni_pathbuf); + nd.ni_pathbuf = NULL; + } } if (dirp) vrele(dirp);