[PATCH] Fix for XDR Backend of NFS4ACL_XATTR module to get it working with NFS4.0 ACL Spec

Sandeep Nashikkar snashikkar at commvault.com
Thu Jul 26 06:47:21 UTC 2018

On Wed, July 25, 2018 Jeremy Allison wrote:
> > On Tue, Jul 24, 2018 at 10:35:16AM +0000, Sandeep Nashikkar via samba-technical wrote:
> > 
> > <Sandeep> Can you please elaborate more on what kind of limitations to 
> > check the string length against? Are there any specific limits as per RFC which restrict the security principal string length (or additions of it) to x number of bytes?

> It's not to do with limits as specified in the RFC, it's to do with protection against integer wrap overflow.
> See here:
> https://www.cs.utexas.edu/~shmat/courses/cs380s_fall09/blexim.txt
> for details. If you're reading an ACL given to you by an untrusted source, you can't trust any of the lengths given to you inside it.
> For example, an ACL definition might have:
> {
> 	uint32_t string_len
> 	uint32_t flags
> 	char [] string.
> } array_of_ACEs.
> The client can set string_len to something like 0xFFFFFFFE (32-bit length) then send a long string.
> If the receiving code does:
> ace = talloc(string_len + sizeof(flags)); read_string_into_allocated_ace
> you've allocted a 2 byte space and then
> overwritten your heap with the untrusted data.
> *All* of the code you have that does arithmetic on values in the ACE sent from the client (or read off the encoded ACL from the filesystem if that ACL can be
> written by a non-root process) must check by doing
> if (val1 + val2 < val1) {
> }
> protection on every arithmetic operation.
> Jeremy.

Thanks a lot Jeremy for your clarification. I will check for these in the code and resubmit the patch. 


***************************Legal Disclaimer***************************
"This communication may contain confidential and privileged material for the
sole use of the intended recipient. Any unauthorized review, use or distribution
by others is strictly prohibited. If you have received the message by mistake,
please advise the sender by reply email and delete the message. Thank you."

More information about the samba-technical mailing list