The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=4672adcea4cf3c0c626d186f1f41c69552d915f1
commit 4672adcea4cf3c0c626d186f1f41c69552d915f1 Author: Rick Macklem <[email protected]> AuthorDate: 2025-10-28 14:44:14 +0000 Commit: Rick Macklem <[email protected]> CommitDate: 2025-10-28 14:44:14 +0000 nfs_commonsubs.c: Add a sanity check for nid_ngroup The nfsuserd(8) daemon passes user credentials (uid + gids) into the kernel for users and groups identified by name (received from a NFSv4 server). This patch add a sanity check for the number of groups (nid_ngroup) passed in. It's only purpose is to protect against a bogus nfsuserd(8) running in a jail. Reported by: Ilja Van Sprundel <[email protected]> Reviewed by: markj MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D53389 --- sys/fs/nfs/nfs_commonsubs.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c index 8d506a5643a9..8e1a26eef354 100644 --- a/sys/fs/nfs/nfs_commonsubs.c +++ b/sys/fs/nfs/nfs_commonsubs.c @@ -4192,10 +4192,15 @@ nfssvc_idname(struct nfsd_idargs *nidp) nidp->nid_namelen); if (error == 0 && nidp->nid_ngroup > 0 && (nidp->nid_flag & NFSID_ADDUID) != 0) { - grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP, - M_WAITOK); - error = copyin(nidp->nid_grps, grps, - sizeof(gid_t) * nidp->nid_ngroup); + grps = NULL; + if (nidp->nid_ngroup > NGROUPS_MAX) + error = EINVAL; + if (error == 0) { + grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP, + M_WAITOK); + error = copyin(nidp->nid_grps, grps, + sizeof(gid_t) * nidp->nid_ngroup); + } if (error == 0) { /* * Create a credential just like svc_getcred(),
