Possible buffer overflow in makefh3()
The makefh3() function obtains the fid of vnode using the VOP_FID() call, then the fid is copied to fh->fh3_data. The fh is a pointer to nfs_fh3:
2074 fid.fid_len = MAXFIDSZ; 2075 error = VOP_FID(vp, &fid, NULL); 2076 if (error) 2077 return (EREMOTE); ... 2081 fh->fh3_len = fid.fid_len; 2082 bcopy(fid.fid_data, fh->fh3_data, fh->fh3_len);
Since the fid.fid_len was set to MAXFIDSZ (64) before the VOP_FID() call, the underlying file system is allowed to return a fid with length up to 64 bytes.
The size of fh->fh3_data (where the fid is copied) is NFS_FH3MAXDATA (26). In a case the underlying file system will return longer fid than 26 bytes, we will overflow the fh3_data.
Fortunately, it seems the longest supported fid these days is 22 bytes (in ZFS), so this issue should not cause any harm, but it is still nice to get this fixed.
Updated by Electric Monk over 5 years ago
- % Done changed from 0 to 100
- Status changed from In Progress to Closed
commit fec13dd95833a1b958477320d32721f886a94f50 Author: Marcel Telka <firstname.lastname@example.org> Date: 2014-07-15T22:58:40.000Z 5002 Possible buffer overflow in makefh3() Reviewed by: Dan McDonald <email@example.com> Reviewed by: Garrett D'Amore <firstname.lastname@example.org> Approved by: Robert Mustacchi <email@example.com>