diff options
author | iedowse <iedowse@FreeBSD.org> | 2002-04-21 16:14:54 +0000 |
---|---|---|
committer | iedowse <iedowse@FreeBSD.org> | 2002-04-21 16:14:54 +0000 |
commit | cb6090429403c304e98c1ea1d87ad2c9b45d9efc (patch) | |
tree | 01bda32e906388ba9222d35f6cc558e0096891c1 /sys/nfsserver | |
parent | 1cb1010bd71f4cacb6cacd227d63375b0719744d (diff) | |
download | FreeBSD-src-cb6090429403c304e98c1ea1d87ad2c9b45d9efc.zip FreeBSD-src-cb6090429403c304e98c1ea1d87ad2c9b45d9efc.tar.gz |
Limit to the maximum allowed reply size the amount of data that
nfsrv_readdir and nfsrv_readdirplus can return. A client request
containing an over-large `count' field could trigger the "Bad nfs
svc reply" panic in nfs_syscalls.c.
Spotted while trying to reproduce kern/37304, which turned out to
be fixed in FreeBSD a long time ago.
MFC after: 1 week
Diffstat (limited to 'sys/nfsserver')
-rw-r--r-- | sys/nfsserver/nfs_serv.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/nfsserver/nfs_serv.c b/sys/nfsserver/nfs_serv.c index 21c225b..05272f2 100644 --- a/sys/nfsserver/nfs_serv.c +++ b/sys/nfsserver/nfs_serv.c @@ -3012,6 +3012,8 @@ nfsrv_readdir(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, cnt = fxdr_unsigned(int, *tl); siz = ((cnt + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1)); xfer = NFS_SRVMAXDATA(nfsd); + if (cnt > xfer) + cnt = xfer; if (siz > xfer) siz = xfer; fullsiz = siz; @@ -3300,6 +3302,8 @@ nfsrv_readdirplus(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp, off = toff; siz = ((siz + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1)); xfer = NFS_SRVMAXDATA(nfsd); + if (cnt > xfer) + cnt = xfer; if (siz > xfer) siz = xfer; fullsiz = siz; |