From dbcf3f1d755fbd5d7b5b15725f07f3776729d0a6 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 2 Apr 2015 19:52:54 +0200
Subject: [PATCH 249/310] ggated recv_thread(): Reject request with more than
 MAXPHYS bytes of data

.. to limit the amount of memory we (try to) allocate on behalf
of the client without knowing whether or not the client actually
intents to use it.

MAXPHYS is the hardcoded limit in ggatec so anything above it is
suspicious and could be a DoS attempt. This commit forces users who
like to tune MAXPHYS to make sure the value used by ggated is not
below the one used by ggatec. While not ideal, this seems preferable
to the DoS risk.

Reported to security-officer@FreeBSD.org on 2015-04-05.

Obtained from: ElectroBSD
---
 sbin/ggate/ggated/ggated.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/sbin/ggate/ggated/ggated.c b/sbin/ggate/ggated/ggated.c
index 935b289868ea..d5d8d564253c 100644
--- a/sbin/ggate/ggated/ggated.c
+++ b/sbin/ggate/ggated/ggated.c
@@ -685,6 +685,16 @@ recv_thread(void *arg)
 			    "not fit sector size.");
 		}
 
+		/*
+		 * Limit the amount of memory we allocate on behalf of
+		 * the client. MAXPHYS is the hard limit in ggatec,
+		 * values above it are thus pretty suspicious.
+		 */
+		if (req->r_length > MAXPHYS) {
+			g_gate_xlog("Request length above MAXPHYS: %u > %u",
+			    (unsigned)req->r_length, MAXPHYS);
+		}
+
 		/*
 		 * Allocate memory for data.
 		 */
-- 
2.37.1