From 50d6e3287605abbf7f624fd7f19357b2f27b7091 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 2 Apr 2015 19:52:54 +0200
Subject: [PATCH 295/325] ggated recv_thread(): Reject request with more than
 MAXPHYS bytes of data

.. to limit the amount of memory we (try to) allocate on behalf
of the client without knowing whether or not the client actually
intents to use it.

MAXPHYS is the hardcoded limit in ggatec so anything above it is
suspicious and could be a DoS attempt. This commit forces users who
like to tune MAXPHYS to make sure the value used by ggated is not
below the one used by ggatec. While not ideal, this seems preferable
to the DoS risk.

Reported to security-officer@FreeBSD.org on 2015-04-05.

Obtained from: ElectroBSD
---
 sbin/ggate/ggated/ggated.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/sbin/ggate/ggated/ggated.c b/sbin/ggate/ggated/ggated.c
index 29c227dbd693..edbf9b952ba7 100644
--- a/sbin/ggate/ggated/ggated.c
+++ b/sbin/ggate/ggated/ggated.c
@@ -685,6 +685,16 @@ recv_thread(void *arg)
 			    "not fit sector size.");
 		}
 
+		/*
+		 * Limit the amount of memory we allocate on behalf of
+		 * the client. MAXPHYS is the hard limit in ggatec,
+		 * values above it are thus pretty suspicious.
+		 */
+		if (req->r_length > MAXPHYS) {
+			g_gate_xlog("Request length above MAXPHYS: %u > %u",
+			    (unsigned)req->r_length, MAXPHYS);
+		}
+
 		/*
 		 * Allocate memory for data.
 		 */
-- 
2.32.0