fix sanity check for offset and length of Allocate NFSv4.2 operation
ClosedPublic
Actions

Authored by rmacklem on Aug 12 2021, 2:20 AM.

Details

Reviewers

kib
asomers

Commits

rG06afb53bcd7b: nfsd: Fix sanity check for NFSv4.2 Allocate operations

Summary

When coding the Deallocate operation, I spotted that the sanity
check in Allocate looks bogus.
off and len are off_t (signed int64_t)
lo_first and lo_end are unsigned uint64_t

I added a check for off < 0 and used lo_first
to ensure the addition is done unsigned.
I check that lo_end does not exceed OFF_MAX,
which I think is as large as any FreeBSD file system
can handle.

Does this version look correct?
(I could also do the lo_end < lo_first check, but an
overflow could only occur if off_t became uint64_t.
Is that ever likely to happen?)

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

rmacklem requested review of this revision.Aug 12 2021, 2:20 AM

rmacklem created this revision.

kib added inline comments.Aug 12 2021, 12:31 PM

sys/fs/nfsserver/nfs_nfsdserv.c
5361	Don't you still need to check that lo_end > lo_first?

rmacklem added inline comments.Aug 12 2021, 2:35 PM

sys/fs/nfsserver/nfs_nfsdserv.c
5361	Well, since off and len are both checked non-negative, that means they can't be greater than OFF_MAX. --> OFF_MAX + OFFMAX cannot be greater than UINT64_MAX. So, as long as off_t is signed, lo_end could not have overflowed. --> lo_end could be less than lo_first only if off or len were negative, I think? I can add lo_end > lo_first back in as a safety belt in case off_t is changed to unit64_t or int128_t someday.