Page MenuHomeFreeBSD

D52962.id164134.diff
No OneTemporary

D52962.id164134.diff

diff --git a/sys/rpc/authunix_prot.c b/sys/rpc/authunix_prot.c
--- a/sys/rpc/authunix_prot.c
+++ b/sys/rpc/authunix_prot.c
@@ -50,9 +50,6 @@
#include <rpc/rpc_com.h>
-/* gids compose part of a credential; there may not be more than 16 of them */
-#define NGRPS 16
-
/*
* XDR for unix authentication parameters.
*/
@@ -65,13 +62,10 @@
char hostbuf[MAXHOSTNAMELEN];
if (xdrs->x_op == XDR_ENCODE) {
- /*
- * Restrict name length to 255 according to RFC 1057.
- */
getcredhostname(NULL, hostbuf, sizeof(hostbuf));
namelen = strlen(hostbuf);
- if (namelen > 255)
- namelen = 255;
+ if (namelen > AUTH_SYS_MAX_HOSTNAME)
+ namelen = AUTH_SYS_MAX_HOSTNAME;
} else {
namelen = 0;
}
@@ -87,6 +81,8 @@
if (!xdr_opaque(xdrs, hostbuf, namelen))
return (FALSE);
} else {
+ if (namelen > AUTH_SYS_MAX_HOSTNAME)
+ return (FALSE);
xdr_setpos(xdrs, xdr_getpos(xdrs) + RNDUP(namelen));
}
@@ -112,13 +108,30 @@
*/
MPASS(cred->cr_ngroups <= XU_NGROUPS);
supp_ngroups = cred->cr_ngroups - 1;
- if (supp_ngroups > NGRPS)
- supp_ngroups = NGRPS;
+ if (supp_ngroups > AUTH_SYS_MAX_GROUPS)
+ /* With current values, this should never execute. */
+ supp_ngroups = AUTH_SYS_MAX_GROUPS;
}
if (!xdr_uint32_t(xdrs, &supp_ngroups))
return (FALSE);
+ /*
+ * Because we cannot store more than XU_NGROUPS in total (16 at time of
+ * this writing), for now we choose to be strict with respect to RFC
+ * 5531's maximum number of supplementary groups (AUTH_SYS_MAX_GROUPS).
+ * That would also be an accidental DoS prevention measure if the
+ * request handling code didn't try to reassemble it in full without any
+ * size limits. Although AUTH_SYS_MAX_GROUPS and XU_NGROUPS are equal,
+ * since the latter includes the "effective" GID, we cannot store the
+ * last group of a message with exactly AUTH_SYS_MAX_GROUPS
+ * supplementary groups. We accept such messages so as not to violate
+ * the protocol, silently dropping the last group on the floor.
+ */
+
+ if (xdrs->x_op != XDR_ENCODE && supp_ngroups > AUTH_SYS_MAX_GROUPS)
+ return (FALSE);
+
junk = 0;
for (i = 0; i < supp_ngroups; ++i)
if (!xdr_uint32_t(xdrs, i < XU_NGROUPS - 1 ?

File Metadata

Mime Type
text/plain
Expires
Fri, Feb 20, 8:25 AM (17 h, 12 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28882861
Default Alt Text
D52962.id164134.diff (2 KB)

Event Timeline