Check for negative length in NFS strings. This affects both, the

client and server. OK beck@
author: bluhm <bluhm@openbsd.org> 2019-01-18 13:59:18 +0000
committer: bluhm <bluhm@openbsd.org> 2019-01-18 13:59:18 +0000
commit: 24585ec63cfbeab573314267f6e6adcb2c130468 (patch)
tree: 957311ca56095f7c267819618713c8e728efa0c8 /sys/nfs
parent: Check for negative length integers in NFS server. A malicious (diff)
download: wireguard-openbsd-24585ec63cfbeab573314267f6e6adcb2c130468.tar.xz
wireguard-openbsd-24585ec63cfbeab573314267f6e6adcb2c130468.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/nfs/nfsm_subs.h b/sys/nfs/nfsm_subs.h
index 020997855f8..647fda5dba9 100644
--- a/sys/nfs/nfsm_subs.h
+++ b/sys/nfs/nfsm_subs.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: nfsm_subs.h,v 1.46 2018/07/09 07:50:28 krw Exp $	*/
+/*	$OpenBSD: nfsm_subs.h,v 1.47 2019/01/18 13:59:18 bluhm Exp $	*/
 /*	$NetBSD: nfsm_subs.h,v 1.10 1996/03/20 21:59:56 fvdl Exp $	*/
 
 /*
@@ -173,7 +173,7 @@ struct nfsm_info {
 
 #define nfsm_strsiz(s, m) {						\
 	nfsm_dissect(tl, u_int32_t *,NFSX_UNSIGNED);			\
-	if (((s) = fxdr_unsigned(int32_t, *tl)) > (m)) {		\
+	if (((s) = fxdr_unsigned(int32_t, *tl)) < 0 || (s) > (m)) {	\
 		m_freem(info.nmi_mrep);					\
 		error = EBADRPC;					\
 		goto nfsmout;						\
author	bluhm <bluhm@openbsd.org>	2019-01-18 13:59:18 +0000
committer	bluhm <bluhm@openbsd.org>	2019-01-18 13:59:18 +0000
commit	24585ec63cfbeab573314267f6e6adcb2c130468 (patch)
tree	957311ca56095f7c267819618713c8e728efa0c8 /sys/nfs
parent	Check for negative length integers in NFS server. A malicious (diff)
download	wireguard-openbsd-24585ec63cfbeab573314267f6e6adcb2c130468.tar.xz wireguard-openbsd-24585ec63cfbeab573314267f6e6adcb2c130468.zip