[PATCH v2 9/9] nfsd: validate symlink target length in NFSv4 CREATE

Next message: Danilo Krummrich: "[PATCH 1/2] rust: device: add BoundInternal device context and InternalBoundContext trait"
Previous message: Jeff Layton: "[PATCH v2 8/9] nfsd: cap decoded POSIX ACL count to bound sort cost"
In reply to: Jeff Layton: "[PATCH v2 8/9] nfsd: cap decoded POSIX ACL count to bound sort cost"
Next in thread: Chuck Lever: "Re: [PATCH v2 0/9] nfsd: a pile of fixes for random bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jeff Layton

Date: Sat May 30 2026 - 09:23:51 EST

nfsd4_decode_create() accepts an unbounded cr_datalen from the wire for
NF4LNK symlink targets, allowing a client to force a kmalloc of up to
the RPC-max size (~1 MiB) per COMPOUND op that persists until compound
teardown. The VFS rejects oversized targets with ENAMETOOLONG, but the
allocation has already occurred.

Reject cr_datalen == 0 early with nfserr_inval and
cr_datalen >= PATH_MAX with nfserr_nametoolong to bound the
allocation.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Assisted-by: kres:claude-opus-4-7
Reported-by: Chris Mason <clm@xxxxxxxx>
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
fs/nfsd/nfs4xdr.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 508f6986842f..a5cfce95d2d7 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -964,6 +964,10 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, union nfsd4_op_u *u)
case NF4LNK:
if (xdr_stream_decode_u32(argp->xdr, &create->cr_datalen) < 0)
return nfserr_bad_xdr;
+ if (create->cr_datalen == 0)
+ return nfserr_inval;
+ if (create->cr_datalen > NFS4_MAXPATHLEN)
+ return nfserr_nametoolong;
p = xdr_inline_decode(argp->xdr, create->cr_datalen);
if (!p)
return nfserr_bad_xdr;

--
2.54.0