8085 Handle RPC groups better

Reviewed by: "Joshua M. Clulow" <josh@sysmgr.org>
Reviewed by: Paul Dagnelie <pcd@delphix.com>
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Approved by: Dan McDonald <danmcd@omniti.com>

17 files changed, 118 insertions, 45 deletions

diff --git a/usr/src/cmd/fs.d/nfs/rquotad/rpc.rquotad.c b/usr/src/cmd/fs.d/nfs/rquotad/rpc.rquotad.c
index 4eacff6270..da94792505 100644
--- a/usr/src/cmd/fs.d/nfs/rquotad/rpc.rquotad.c
+++ b/usr/src/cmd/fs.d/nfs/rquotad/rpc.rquotad.c
@@ -19,6 +19,7 @@
  * CDDL HEADER END
  */
 /*
+ * Copyright 2017 Joyent Inc
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
@@ -37,6 +38,7 @@
 #include <sys/mnttab.h>
 #include <sys/param.h>
 #include <sys/time.h>
+#include <sys/debug.h>
 #ifdef notdef
 #include <netconfig.h>
 #endif
@@ -327,6 +329,7 @@ getquota(rqstp, transp)
 	 * This authentication is really bogus with the current rpc
 	 * authentication scheme. One day we will have something for real.
 	 */
+	CTASSERT(sizeof (authp) <= RQCRED_SIZE);
 	if (rqstp->rq_cred.oa_flavor != AUTH_UNIX ||
 	    (((authp) rqstp->rq_clntcred)->aup_uid != 0 &&
 		((authp) rqstp->rq_clntcred)->aup_uid != (uid_t)gqa.gqa_uid)) {
diff --git a/usr/src/cmd/gss/gssd/gssd_proc.c b/usr/src/cmd/gss/gssd/gssd_proc.c
index 7a7ee951c2..c6a51aa34a 100644
--- a/usr/src/cmd/gss/gssd/gssd_proc.c
+++ b/usr/src/cmd/gss/gssd/gssd_proc.c
@@ -1,7 +1,4 @@
 /*
- * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
- */
-/*
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
@@ -21,6 +18,10 @@
  *
  * CDDL HEADER END
  */
+/*
+ * Copyright 2017 Joyent Inc
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
+ */
 
 /*
  *  RPC server procedures for the gssapi usermode daemon gssd.
@@ -41,6 +42,7 @@
 #include <stdlib.h>
 #include <syslog.h>
 #include <sys/resource.h>
+#include <sys/debug.h>
 
 #define	SRVTAB	""
 #define	FDCACHE_PERCENTAGE	.75	/* Percentage of total FD limit */
@@ -2647,6 +2649,7 @@ uid_t *uidp;
 		syslog(LOG_ERR, gettext("checkfrom: not UNIX credentials"));
 			goto weakauth;
 		}
+		CTASSERT(sizeof (struct authunix_parms) <= RQCRED_SIZE);
 		/*LINTED*/
 		aup = (struct authunix_parms *)rqstp->rq_clntcred;
 		*uidp = aup->aup_uid;
diff --git a/usr/src/cmd/keyserv/keyserv.c b/usr/src/cmd/keyserv/keyserv.c
index e1d7a39967..393b1635c4 100644
--- a/usr/src/cmd/keyserv/keyserv.c
+++ b/usr/src/cmd/keyserv/keyserv.c
@@ -20,6 +20,7 @@
  */
 
 /*
+ * Copyright 2017 Joyent Inc
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
@@ -66,6 +67,7 @@
 #include <rpcsvc/nis_dhext.h>
 #include <syslog.h>
 #include <libscf.h>
+#include <sys/debug.h>
 
 #include "debug.h"
 #include "keyserv_cache.h"
@@ -1334,6 +1336,7 @@ get_auth(trans, rqstp, uid)
 		fprintf(stderr, "local_uid  %d\n", cred.euid);
 	if (rqstp->rq_cred.oa_flavor == AUTH_SYS ||
 	    rqstp->rq_cred.oa_flavor == AUTH_LOOPBACK) {
+		CTASSERT(sizeof (struct authunix_parms) <= RQCRED_SIZE);
 /* LINTED pointer alignment */
 		*uid = ((struct authunix_parms *)rqstp->rq_clntcred)->aup_uid;
 		return (*uid == cred.euid || cred.euid == 0);
diff --git a/usr/src/cmd/rpcbind/rpcb_svc_com.c b/usr/src/cmd/rpcbind/rpcb_svc_com.c
index 0d2684f0a7..b7a46378ea 100644
--- a/usr/src/cmd/rpcbind/rpcb_svc_com.c
+++ b/usr/src/cmd/rpcbind/rpcb_svc_com.c
@@ -24,6 +24,7 @@
  */
 /*
  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2017 Joyent Inc
  */
 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
 /* All Rights Reserved */
@@ -81,6 +82,7 @@
 #include <assert.h>
 #include <synch.h>
 #include "rpcbind.h"
+#include <sys/debug.h>
 
 static struct finfo *forward_register(ulong_t, struct netbuf *, int, char *);
 static void forward_destroy(struct finfo *);
@@ -1038,6 +1040,7 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, ulong_t reply_type,
 	} else if (rqstp->rq_cred.oa_flavor == AUTH_SYS) {
 		struct authsys_parms *au;
 
+		CTASSERT(sizeof (struct authsys_parms) <= RQCRED_SIZE);
 		au = (struct authsys_parms *)rqstp->rq_clntcred;
 		auth = authsys_create(au->aup_machname, au->aup_uid,
 		    au->aup_gid, au->aup_len, au->aup_gids);
diff --git a/usr/src/cmd/ypcmd/ypupdated.c b/usr/src/cmd/ypcmd/ypupdated.c
index 764c389c29..19c43e0f1b 100644
--- a/usr/src/cmd/ypcmd/ypupdated.c
+++ b/usr/src/cmd/ypcmd/ypupdated.c
@@ -20,6 +20,7 @@
  * CDDL HEADER END
  */
 /*
+ * Copyright 2017 Joyent Inc
  * Copyright 2000 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
@@ -32,12 +33,6 @@
  * under license from the Regents of the University of California.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
-#ifndef lint
-static char sccsid[] = "@(#)rpc.ypupdated.c 1.9 87/10/30 Copyr 1986 Sun Micro";
-#endif
-
 /*
  * YP update service
  */
@@ -51,6 +46,7 @@ static char sccsid[] = "@(#)rpc.ypupdated.c 1.9 87/10/30 Copyr 1986 Sun Micro";
 #include <rpc/nettype.h>
 #include <rpcsvc/ypupd.h>
 #include <rpcsvc/ypclnt.h>
+#include <sys/debug.h>
 #include <netdir.h>
 #include <stropts.h>
 #ifdef SYSLOG
@@ -239,11 +235,13 @@ ypupdate_prog(rqstp, transp)
 #endif
 	switch (rqstp->rq_cred.oa_flavor) {
 	case AUTH_DES:
+		CTASSERT(sizeof (struct authdes_cred) <= RQCRED_SIZE);
 		netname = ((struct authdes_cred *)
 			rqstp->rq_clntcred)->adc_fullname.name;
 		break;
 	case AUTH_UNIX:
 		if (insecure) {
+			CTASSERT(sizeof (struct authunix_parms) <= RQCRED_SIZE);
 			aup = (struct authunix_parms *)rqstp->rq_clntcred;
 			if (aup->aup_uid == 0) {
 				if (addr2netname(namebuf, transp) != 0) {
diff --git a/usr/src/cmd/ypcmd/ypupdated/rpc.ypupdated.c b/usr/src/cmd/ypcmd/ypupdated/rpc.ypupdated.c
index 4756ca7971..c38ad78523 100644
--- a/usr/src/cmd/ypcmd/ypupdated/rpc.ypupdated.c
+++ b/usr/src/cmd/ypcmd/ypupdated/rpc.ypupdated.c
@@ -19,6 +19,7 @@
  * CDDL HEADER END
  */
 /*
+ * Copyright 2017 Joyent Inc
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
@@ -37,6 +38,7 @@
 #include <sys/signal.h>
 #include <sys/stat.h>
 #include <sys/termio.h>
+#include <sys/debug.h>
 #include <strings.h>
 #include <rpcsvc/ypclnt.h>
 #include <rpcsvc/yp_prot.h>
@@ -226,6 +228,10 @@ ypupdate_prog(rqstp, transp)
 		svcerr_noproc(transp);
 		return;
 	}
+
+	CTASSERT(sizeof (struct authdes_cred) <= RQCRED_SIZE);
+	CTASSERT(sizeof (struct authunix_parms) <= RQCRED_SIZE);
+
 	switch (rqstp->rq_cred.oa_flavor) {
 	case AUTH_DES:
 		netname = ((struct authdes_cred *)
diff --git a/usr/src/lib/libnsl/rpc/svc.c b/usr/src/lib/libnsl/rpc/svc.c
index 7c4a8a6342..226e7c571b 100644
--- a/usr/src/lib/libnsl/rpc/svc.c
+++ b/usr/src/lib/libnsl/rpc/svc.c
@@ -23,6 +23,7 @@
  * Copyright (c) 1989, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
  * Copyright (c) 2016 by Delphix. All rights reserved.
+ * Copyright 2017 Joyent Inc
  */
 /*
  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
@@ -52,6 +53,7 @@
 #include <stropts.h>
 #include <sys/conf.h>
 #include <rpc/rpc.h>
+#include <rpc/auth.h>
 #ifdef PORTMAP
 #include <rpc/pmap_clnt.h>
 #endif
@@ -75,7 +77,6 @@ int nsvc_xdrs;		/* total number of svc_xdrs allocated */
 int __rpc_use_pollfd_done;	/* to unlimit the number of connections */
 
 #define	NULL_SVC ((struct svc_callout *)0)
-#define	RQCRED_SIZE	400		/* this size is excessive */
 
 /*
  * The services list
diff --git a/usr/src/lib/libnsl/rpc/svc_auth_loopb.c b/usr/src/lib/libnsl/rpc/svc_auth_loopb.c
index f19f8deaea..dbc6240f38 100644
--- a/usr/src/lib/libnsl/rpc/svc_auth_loopb.c
+++ b/usr/src/lib/libnsl/rpc/svc_auth_loopb.c
@@ -22,11 +22,10 @@
 
 /*
  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2017 Joyent Inc
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 /*
  * Handles the loopback UNIX flavor authentication parameters on the
  * service side of rpc.
@@ -37,6 +36,18 @@
 #include <rpc/rpc.h>
 #include <syslog.h>
 #include <sys/types.h>
+#include <sys/debug.h>
+
+/*
+ * NOTE: this has to fit inside RQCRED_SIZE bytes. If you update this struct,
+ * double-check it still fits.
+ */
+struct authlpbk_area {
+	struct authsys_parms area_aup;
+	char area_machname[MAX_MACHINE_NAME+1];
+	gid_t area_gids[NGRPS_LOOPBACK];
+};
+CTASSERT(sizeof (struct authlpbk_area) <= RQCRED_SIZE);
 
 /*
  * Loopback system (Unix) longhand authenticator
@@ -48,17 +59,13 @@ __svcauth_loopback(struct svc_req *rqst, struct rpc_msg *msg)
 	XDR xdrs;
 	struct authsys_parms *aup;
 	rpc_inline_t *buf;
-	struct area {
-		struct authsys_parms area_aup;
-		char area_machname[MAX_MACHINE_NAME+1];
-		gid_t area_gids[NGRPS_LOOPBACK];
-	} *area;
+	struct authlpbk_area *area;
 	size_t auth_len;
 	size_t str_len, gid_len;
 	int i;
 
 	/* LINTED pointer cast */
-	area = (struct area *)rqst->rq_clntcred;
+	area = (struct authlpbk_area *)rqst->rq_clntcred;
 	aup = &area->area_aup;
 	aup->aup_machname = area->area_machname;
 	aup->aup_gids = area->area_gids;
@@ -75,6 +82,10 @@ __svcauth_loopback(struct svc_req *rqst, struct rpc_msg *msg)
 			stat = AUTH_BADCRED;
 			goto done;
 		}
+		if (str_len > auth_len) {
+			stat = AUTH_BADCRED;
+			goto done;
+		}
 		(void) memcpy(aup->aup_machname, buf, str_len);
 		aup->aup_machname[str_len] = 0;
 		str_len = RNDUP(str_len);
@@ -86,10 +97,6 @@ __svcauth_loopback(struct svc_req *rqst, struct rpc_msg *msg)
 			stat = AUTH_BADCRED;
 			goto done;
 		}
-		aup->aup_len = gid_len;
-		for (i = 0; i < gid_len; i++) {
-			aup->aup_gids[i] = (gid_t)IXDR_GET_INT32(buf);
-		}
 		/*
 		 * five is the smallest unix credentials structure -
 		 * timestamp, hostname len (0), uid, gid, and gids len (0).
@@ -101,6 +108,10 @@ __svcauth_loopback(struct svc_req *rqst, struct rpc_msg *msg)
 			stat = AUTH_BADCRED;
 			goto done;
 		}
+		aup->aup_len = gid_len;
+		for (i = 0; i < gid_len; i++) {
+			aup->aup_gids[i] = (gid_t)IXDR_GET_INT32(buf);
+		}
 	} else if (!xdr_authloopback_parms(&xdrs, aup)) {
 		xdrs.x_op = XDR_FREE;
 		(void) xdr_authloopback_parms(&xdrs, aup);
diff --git a/usr/src/lib/libnsl/rpc/svc_auth_sys.c b/usr/src/lib/libnsl/rpc/svc_auth_sys.c
index e86fb86136..87e546207e 100644
--- a/usr/src/lib/libnsl/rpc/svc_auth_sys.c
+++ b/usr/src/lib/libnsl/rpc/svc_auth_sys.c
@@ -22,6 +22,7 @@
 
 /*
  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2017 Joyent Inc
  * Use is subject to license terms.
  */
 
@@ -33,8 +34,6 @@
  * California.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 /*
  * Handles UNIX flavor authentication parameters on the service side of rpc.
  * There are two svc auth implementations here: AUTH_SYS and AUTH_SHORT.
@@ -50,9 +49,21 @@
 #include <rpc/rpc.h>
 #include <syslog.h>
 #include <sys/types.h>
+#include <sys/debug.h>
 #include <string.h>
 
 /*
+ * NOTE: this has to fit inside RQCRED_SIZE bytes. If you update this struct,
+ * double-check it still fits.
+ */
+struct authsys_area {
+	struct authsys_parms area_aup;
+	char area_machname[MAX_MACHINE_NAME+1];
+	gid_t area_gids[NGRPS];
+};
+CTASSERT(sizeof (struct authsys_area) <= RQCRED_SIZE);
+
+/*
  * System (Unix) longhand authenticator
  */
 enum auth_stat
@@ -62,17 +73,13 @@ __svcauth_sys(struct svc_req *rqst, struct rpc_msg *msg)
 	XDR xdrs;
 	struct authsys_parms *aup;
 	rpc_inline_t *buf;
-	struct area {
-		struct authsys_parms area_aup;
-		char area_machname[MAX_MACHINE_NAME+1];
-		gid_t area_gids[NGRPS];
-	} *area;
+	struct authsys_area *area;
 	uint_t auth_len;
 	uint_t str_len, gid_len;
 	int i;
 
 	/* LINTED pointer cast */
-	area = (struct area *)rqst->rq_clntcred;
+	area = (struct authsys_area *)rqst->rq_clntcred;
 	aup = &area->area_aup;
 	aup->aup_machname = area->area_machname;
 	aup->aup_gids = area->area_gids;
diff --git a/usr/src/lib/libnsl/rpc/svcauth_des.c b/usr/src/lib/libnsl/rpc/svcauth_des.c
index b8e6fd31e9..6d6522717a 100644
--- a/usr/src/lib/libnsl/rpc/svcauth_des.c
+++ b/usr/src/lib/libnsl/rpc/svcauth_des.c
@@ -23,6 +23,7 @@
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  * Copyright (c) 2016 by Delphix. All rights reserved.
+ * Copyright 2017 Joyent Inc
  */
 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
 /* All Rights Reserved */
@@ -57,6 +58,7 @@
 #include <unistd.h>
 #include <string.h>
 #include <strings.h>
+#include <sys/debug.h>
 
 #include <syslog.h>
 
@@ -114,6 +116,16 @@ struct {
 } svcauthdes_stats;
 
 /*
+ * NOTE: this has to fit inside RQCRED_SIZE bytes. If you update this struct,
+ * double-check it still fits.
+ */
+struct authdes_area {
+	struct authdes_cred area_cred;
+	char area_netname[MAXNETNAMELEN+1];
+};
+CTASSERT(sizeof (struct authdes_area) <= RQCRED_SIZE);
+
+/*
  * Service side authenticator for AUTH_DES
  */
 enum auth_stat
@@ -130,12 +142,9 @@ __svcauth_des(struct svc_req *rqst, struct rpc_msg *msg)
 	des_block	*sessionkey, init_sessionkey;
 	des_block	ivec;
 	uint_t	window;
+	struct authdes_area *area;
 	struct timeval	timestamp;
 	uint32_t	namelen;
-	struct area {
-		struct authdes_cred area_cred;
-		char area_netname[MAXNETNAMELEN+1];
-	} *area;
 	int	fullname_rcvd = 0;
 	int from_cache = 0;
 
@@ -150,7 +159,7 @@ __svcauth_des(struct svc_req *rqst, struct rpc_msg *msg)
 	(void) mutex_unlock(&authdes_lock);
 
 	/* LINTED pointer cast */
-	area = (struct area *)rqst->rq_clntcred;
+	area = (struct authdes_area *)rqst->rq_clntcred;
 	cred = (struct authdes_cred *)&area->area_cred;
 
 	if ((uint_t)msg->rm_call.cb_cred.oa_length == 0)
diff --git a/usr/src/uts/common/fs/nfs/nfs_log_xdr.c b/usr/src/uts/common/fs/nfs/nfs_log_xdr.c
index a6d2065003..c44029c23e 100644
--- a/usr/src/uts/common/fs/nfs/nfs_log_xdr.c
+++ b/usr/src/uts/common/fs/nfs/nfs_log_xdr.c
@@ -19,18 +19,18 @@
  * CDDL HEADER END
  */
 /*
+ * Copyright 2017 Joyent Inc
  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <sys/types.h>
 #include <sys/systm.h>
 #include <sys/cmn_err.h>
 #include <sys/kmem.h>
 #include <sys/cred.h>
 #include <sys/dirent.h>
+#include <sys/debug.h>
 #include <rpc/types.h>
 #include <nfs/nfs.h>
 #include <nfs/export.h>
@@ -61,6 +61,7 @@ nfsl_principal_name_get(struct svc_req *req)
 
 	case AUTH_DES:
 		adc = (struct authdes_cred *)req->rq_clntcred;
+		CTASSERT(sizeof (struct authdes_cred) <= RQCRED_SIZE);
 		principal_name = adc->adc_fullname.name;
 		break;
 
diff --git a/usr/src/uts/common/fs/nfs/nfs_server.c b/usr/src/uts/common/fs/nfs/nfs_server.c
index 7e94c62734..26a32225bb 100644
--- a/usr/src/uts/common/fs/nfs/nfs_server.c
+++ b/usr/src/uts/common/fs/nfs/nfs_server.c
@@ -23,6 +23,7 @@
  * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
  * Copyright (c) 2013 by Delphix. All rights reserved.
  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright (c) 2017 Joyent Inc
  */
 
 /*
@@ -66,6 +67,7 @@
 #include <sys/mode.h>
 #include <sys/acl.h>
 #include <sys/sdt.h>
+#include <sys/debug.h>
 
 #include <rpc/types.h>
 #include <rpc/auth.h>
@@ -1990,6 +1992,7 @@ checkwin(int flavor, int window, struct svc_req *req)
 	switch (flavor) {
 	case AUTH_DES:
 		adc = (struct authdes_cred *)req->rq_clntcred;
+		CTASSERT(sizeof (struct authdes_cred) <= RQCRED_SIZE);
 		if (adc->adc_fullname.window > window)
 			return (0);
 		break;
diff --git a/usr/src/uts/common/rpc/auth.h b/usr/src/uts/common/rpc/auth.h
index 1af0c65857..bf4a97cfe9 100644
--- a/usr/src/uts/common/rpc/auth.h
+++ b/usr/src/uts/common/rpc/auth.h
@@ -20,6 +20,7 @@
  */
 /*
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2017 Joyent Inc
  * Use is subject to license terms.
  */
 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
@@ -53,10 +54,23 @@
 extern "C" {
 #endif
 
-#define	MAX_AUTH_BYTES	400
+#define	MAX_AUTH_BYTES	400	/* maximum length of an auth type, from RFC */
 #define	MAXNETNAMELEN	255	/* maximum length of network user's name */
 
 /*
+ * NOTE: this value *must* be kept larger than the maximum size of all the
+ * structs that rq_clntcred is cast to in the different authentication types.
+ * If changes are made to any of these *_area structs, double-check they all
+ * still fit. If any new authentication mechanisms are added, add a note here.
+ *
+ * Currently these structs can be found in:
+ *  - __svcauth_sys (svc_auth_sys.c)
+ *  - __svcauth_des (svcauth_des.c)
+ *  - __svcauth_loopback (svc_auth_loopb.c)
+ */
+#define	RQCRED_SIZE	700	/* size allocated for rq_clntcred */
+
+/*
  *  Client side authentication/security data
  */
 typedef struct sec_data {
diff --git a/usr/src/uts/common/rpc/auth_sys.h b/usr/src/uts/common/rpc/auth_sys.h
index 157546842b..df1809068e 100644
--- a/usr/src/uts/common/rpc/auth_sys.h
+++ b/usr/src/uts/common/rpc/auth_sys.h
@@ -21,6 +21,7 @@
 
 /*
  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2017 Joyent Inc
  */
 
 /*
@@ -65,9 +66,6 @@ extern "C" {
 /* gids compose part of a credential; there may not be more than 16 of them */
 #define	 NGRPS 16
 
-/* gids compose part of a credential */
-#define	 NGRPS_LOOPBACK NGROUPS_UMAX
-
 /*
  * "sys" (Old UNIX) style credentials.
  */
@@ -82,6 +80,17 @@ struct authsys_parms {
 /* For backward compatibility */
 #define	 authunix_parms authsys_parms
 
+/*
+ * Ideally, we would like this to be NGROUPS_UMAX, but the RFC mandates that
+ * auth sections must not exceed 400 bytes. For AUTH_LOOPBACK, that means the
+ * largest number of groups we can have without breaking RFC compat is 92
+ * groups.
+ *
+ * NOTE: changing this value changes the size of authlpbk_area in
+ * svc_auth_loopb.c, which means RQCRED_SIZE *must* be updated!
+ */
+#define	 NGRPS_LOOPBACK 92
+
 #ifdef __STDC__
 extern bool_t xdr_authsys_parms(XDR *, struct authsys_parms *);
 extern bool_t xdr_authloopback_parms(XDR *, struct authsys_parms *);
diff --git a/usr/src/uts/common/rpc/sec/svc_authu.c b/usr/src/uts/common/rpc/sec/svc_authu.c
index 6cfc89467c..224a8d33f6 100644
--- a/usr/src/uts/common/rpc/sec/svc_authu.c
+++ b/usr/src/uts/common/rpc/sec/svc_authu.c
@@ -21,6 +21,7 @@
  */
 /*
  * Copyright 1989 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2017 Joyent Inc
  * Use is subject to license terms.
  */
 
@@ -32,8 +33,6 @@
  * under license from the Regents of the University of California.
  */
 
-#ident	"%Z%%M%	%I%	%E% SMI"
-
 /*
  * svc_auth_unix.c
  * Handles UNIX flavor authentication parameters on the service side of rpc.
@@ -54,6 +53,7 @@
 #include <sys/tihdr.h>
 #include <sys/t_kuser.h>
 #include <sys/cmn_err.h>
+#include <sys/debug.h>
 
 #include <rpc/types.h>
 #include <rpc/xdr.h>
@@ -84,6 +84,7 @@ _svcauth_unix(struct svc_req *rqst, struct rpc_msg *msg)
 	u_int str_len, gid_len;
 	int i;
 
+	CTASSERT(sizeof (struct area) <= RQCRED_SIZE);
 	/* LINTED pointer alignment */
 	area = (struct area *) rqst->rq_clntcred;
 	aup = &area->area_aup;
diff --git a/usr/src/uts/common/rpc/sec/svcauthdes.c b/usr/src/uts/common/rpc/sec/svcauthdes.c
index a2dfa41c29..563067bb04 100644
--- a/usr/src/uts/common/rpc/sec/svcauthdes.c
+++ b/usr/src/uts/common/rpc/sec/svcauthdes.c
@@ -19,6 +19,7 @@
  * CDDL HEADER END
  */
 /*
+ * Copyright 2017 Joyent Inc
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
@@ -59,6 +60,7 @@
 #include <sys/kmem.h>
 #include <sys/time.h>
 #include <sys/cmn_err.h>
+#include <sys/debug.h>
 
 #include <rpc/types.h>
 #include <rpc/xdr.h>
@@ -159,6 +161,7 @@ _svcauth_des(struct svc_req *rqst, struct rpc_msg *msg)
 	}
 	mutex_exit(&authdes_lock);
 
+	CTASSERT(sizeof (struct area) <= RQCRED_SIZE);
 	/* LINTED pointer alignment */
 	area = (struct area *)rqst->rq_clntcred;
 	cred = (struct authdes_cred *)&area->area_cred;
diff --git a/usr/src/uts/common/rpc/svc.c b/usr/src/uts/common/rpc/svc.c
index c0ca1ede3f..43f8a6d703 100644
--- a/usr/src/uts/common/rpc/svc.c
+++ b/usr/src/uts/common/rpc/svc.c
@@ -207,8 +207,6 @@
 #include <nfs/nfs.h>
 #include <sys/tsol/label_macro.h>
 
-#define	RQCRED_SIZE	400	/* this size is excessive */
-
 /*
  * Defines for svc_poll()
  */