[PATCH] Fix for XDR Backend of NFS4ACL_XATTR module to get it working with NFS4.0 ACL Spec

Jeremy Allison jra at samba.org
Wed Jul 25 18:06:08 UTC 2018


On Tue, Jul 24, 2018 at 10:35:16AM +0000, Sandeep Nashikkar via samba-technical wrote:
> 
> <Sandeep> Can you please elaborate more on what kind of limitations to
> check the string length against? Are there any specific limits as per RFC which restrict the security principal string length (or additions of it) to x number of bytes?

It's not to do with limits as specified in the RFC,
it's to do with protection against integer wrap overflow.

See here:

https://www.cs.utexas.edu/~shmat/courses/cs380s_fall09/blexim.txt

for details. If you're reading an ACL given to you by
an untrusted source, you can't trust any of the lengths given
to you inside it.

For example, an ACL definition might have:

{
	uint32_t string_len
	uint32_t flags
	char [] string.
} array_of_ACEs.

The client can set string_len to something like
0xFFFFFFFE (32-bit length) then send a long string.

If the receiving code does:

ace = talloc(string_len + sizeof(flags));
read_string_into_allocated_ace

you've allocted a 2 byte space and then
overwritten your heap with the untrusted
data.

*All* of the code you have that does arithmetic
on values in the ACE sent from the client (or
read off the encoded ACL from the filesystem
if that ACL can be written by a non-root process)
must check by doing

if (val1 + val2 < val1) {
	// OVERFLOW
}

protection on every arithmetic operation.

Jeremy.



More information about the samba-technical mailing list