Project

General

Profile

Bug #5002

Possible buffer overflow in makefh3()

Added by Marcel Telka over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Low
Assignee:
Category:
nfs - NFS server and client
Start date:
2014-07-14
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:
needs-triage

Description

The makefh3() function obtains the fid of vnode using the VOP_FID() call, then the fid is copied to fh->fh3_data. The fh is a pointer to nfs_fh3:

2074    fid.fid_len = MAXFIDSZ;
2075    error = VOP_FID(vp, &fid, NULL);
2076    if (error)
2077        return (EREMOTE);

...

2081    fh->fh3_len = fid.fid_len;
2082    bcopy(fid.fid_data, fh->fh3_data, fh->fh3_len);

Since the fid.fid_len was set to MAXFIDSZ (64) before the VOP_FID() call, the underlying file system is allowed to return a fid with length up to 64 bytes.

The size of fh->fh3_data (where the fid is copied) is NFS_FH3MAXDATA (26). In a case the underlying file system will return longer fid than 26 bytes, we will overflow the fh3_data.

Fortunately, it seems the longest supported fid these days is 22 bytes (in ZFS), so this issue should not cause any harm, but it is still nice to get this fixed.

History

#1

Updated by Electric Monk over 5 years ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Closed

git commit fec13dd95833a1b958477320d32721f886a94f50

commit  fec13dd95833a1b958477320d32721f886a94f50
Author: Marcel Telka <marcel.telka@nexenta.com>
Date:   2014-07-15T22:58:40.000Z

    5002 Possible buffer overflow in makefh3()
    Reviewed by: Dan McDonald <danmcd@omniti.com>
    Reviewed by: Garrett D'Amore <garrett@damore.org>
    Approved by: Robert Mustacchi <rm@joyent.com>

Also available in: Atom PDF