Re: [PATCH v5] nfsd: validate sockaddr length per family in listener_set

Next message: Biren Pandya: "[PATCH 0/2] media: i2c: ov7740: Fix remove() teardown and PM runtime"
Previous message: Rob Herring (Arm): "Re: [PATCH v3] dt-bindings: pinctrl: qcom,pmic-gpio: Add Qualcomm PMK7750"
In reply to: Jeff Layton: "[PATCH v5] nfsd: validate sockaddr length per family in listener_set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chuck Lever

Date: Mon Jun 15 2026 - 17:03:39 EST

On Mon, 15 Jun 2026 14:31:25 -0400, Jeff Layton wrote:
> nfsd_sock_nl_policy declares NFSD_A_SOCK_ADDR as a bare NLA_BINARY
> attribute with no minimum length. A CAP_NET_ADMIN caller can send a
> 16-byte NFSD_A_SOCK_ADDR with sa_family=AF_INET6, causing a 12-byte
> OOB read across three consumers (rpc_cmp_addr_port, svc_find_listener,
> kernel_bind).
>
> nfsd_nl_listener_set_doit() also parsed and validated each listener
> entry inline in two separate loops, interleaved with mutating the
> running listener configuration. The validation was duplicated, used an
> open-coded "nla_len < sizeof(struct sockaddr)" check that was too short
> for AF_INET6, and handled a malformed entry inconsistently depending on
> which loop noticed it.
>
> [...]

Applied to nfsd-testing, thanks!

[1/1] nfsd: validate sockaddr length per family in listener_set
commit: 1f102d9ff00620b845546051ad1ee57976f2db88

--
Chuck Lever