nfsd: Add checks for layout errors in LayoutReturn

For a LayoutReturn when using the Flexible File Layout, error reports may be provided in the request. Sanity check the size of these error reports and check that they exist before calling nfsrv_flexlayouterr(). Reported by: rtm@lcs.mit.edu Tested by: rtm@lcs.mit.edu PR: 260012 MFC after: 2 weeks
2026-04-29 18:32:49 -04:00 · 2021-11-26 15:42:32 -08:00 · 2021-11-26 15:42:32 -08:00 · bdd57cbb1b
commit bdd57cbb1b
parent 22f7bcb523
2 changed files with 7 additions and 1 deletions
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@ -4959,6 +4959,12 @@ nfsrvd_layoutreturn(struct nfsrv_descript *nd, __unused int isdgram,
 		}

 		maxcnt = fxdr_unsigned(int, *tl);
+		/*
+		 * There is no fixed upper bound defined in the RFCs,
+		 * but 128Kbytes should be more than sufficient.
+		 */
+		if (maxcnt < 0 || maxcnt > 131072)
+			maxcnt = 0;
 		if (maxcnt > 0) {
 			layp = malloc(maxcnt + 1, M_TEMP, M_WAITOK);
 			error = nfsrv_mtostr(nd, (char *)layp, maxcnt);
--- a/sys/fs/nfsserver/nfs_nfsdstate.c
+++ b/sys/fs/nfsserver/nfs_nfsdstate.c
@ -7301,7 +7301,7 @@ nfsrv_layoutreturn(struct nfsrv_descript *nd, vnode_t vp,
 			}
 			NFSDRECALLUNLOCK();
 		}
-		if (layouttype == NFSLAYOUT_FLEXFILE)
+		if (layouttype == NFSLAYOUT_FLEXFILE && layp != NULL)
 			nfsrv_flexlayouterr(nd, layp, maxcnt, p);
 	} else if (kind == NFSV4LAYOUTRET_FSID)
 		nfsrv_freelayouts(&nd->nd_clientid,