From 7b141d5db3a2243955102b3178932476ac98f0b8 Mon Sep 17 00:00:00 2001
From: Peter Wemm <peter@FreeBSD.org>
Date: Mon, 30 Jul 2001 20:01:59 +0000
Subject: [PATCH] Check the filehandle size when mounting.

Obtained from:  Constantine Sapuntzakis <csapuntz@openbsd.org>
---
 sys/nfs/nfs_vfsops.c       | 2 ++
 sys/nfsclient/nfs_vfsops.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/sys/nfs/nfs_vfsops.c b/sys/nfs/nfs_vfsops.c
index 706fd1f89c3..bc6f3c09adb 100644
--- a/sys/nfs/nfs_vfsops.c
+++ b/sys/nfs/nfs_vfsops.c
@@ -804,6 +804,8 @@ nfs_mount(mp, path, data, ndp, p)
 		nfs_decode_args(nmp, &args);
 		return (0);
 	}
+	if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX)
+		return (EINVAL);
 	error = copyin((caddr_t)args.fh, (caddr_t)nfh, args.fhsize);
 	if (error)
 		return (error);
diff --git a/sys/nfsclient/nfs_vfsops.c b/sys/nfsclient/nfs_vfsops.c
index 706fd1f89c3..bc6f3c09adb 100644
--- a/sys/nfsclient/nfs_vfsops.c
+++ b/sys/nfsclient/nfs_vfsops.c
@@ -804,6 +804,8 @@ nfs_mount(mp, path, data, ndp, p)
 		nfs_decode_args(nmp, &args);
 		return (0);
 	}
+	if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX)
+		return (EINVAL);
 	error = copyin((caddr_t)args.fh, (caddr_t)nfh, args.fhsize);
 	if (error)
 		return (error);
-- 
2.45.2