nfs_commonsubs.c: Add a sanity check for nid_ngroup

Rick Macklem · Rick Macklem · commit 4672adcea4cf · 2025-10-28T07:44:14.000-07:00
The nfsuserd(8) daemon passes user credentials (uid + gids) into the kernel for users and groups identified by name (received from a NFSv4 server). This patch add a sanity check for the number of groups (nid_ngroup) passed in. It's only purpose is to protect against a bogus nfsuserd(8) running in a jail. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Reviewed by: markj MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D53389
diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
@@ -4192,10 +4192,15 @@ nfssvc_idname(struct nfsd_idargs *nidp)
 	    nidp->nid_namelen);
 	if (error == 0 && nidp->nid_ngroup > 0 &&
 	    (nidp->nid_flag & NFSID_ADDUID) != 0) {
-		grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
-		    M_WAITOK);
-		error = copyin(nidp->nid_grps, grps,
-		    sizeof(gid_t) * nidp->nid_ngroup);
+		grps = NULL;
+		if (nidp->nid_ngroup > NGROUPS_MAX)
+			error = EINVAL;
+		if (error == 0) {
+			grps = malloc(sizeof(gid_t) * nidp->nid_ngroup, M_TEMP,
+			    M_WAITOK);
+			error = copyin(nidp->nid_grps, grps,
+			    sizeof(gid_t) * nidp->nid_ngroup);
+		}
 		if (error == 0) {
 			/*
 			 * Create a credential just like svc_getcred(),
