On Tue, 2009-10-06 at 21:37 +0200, Christian Salzmann wrote: > Hi Ben, > > I tracked this bug down and a fix should be in the next stable update. > > > Wow, thank you for your immediate response! > > Although the fix is "obvious" to me looking at the code, it would be better > > if you could verify the fix on your system. Are you happy to build and > > install a new kernel package, given instructions? > > > This wouldn't be the first one, so any patch is welcome ;-)
The patch is attached. Instructions for rebuilding the kernel package are at <http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official>. Make sure that APT downloads the source from stable-security, not from unstable. Ben. -- Ben Hutchings To err is human; to really foul things up requires a computer.
From: Ben Hutchings <b...@decadent.org.uk> Date: Sun, 04 Oct 2009 14:25:50 +0100 Subject: [PATCH] nfs: Avoid overrun when copying client IP address string As seen in <http://bugs.debian.org/549002>, nfs4_init_client() can overrun the source string when copying the client IP address from nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since these are both treated as null-terminated strings elsewhere, the copy should be done with strlcpy() not memcpy(). Signed-off-by: Ben Hutchings <b...@decadent.org.uk> --- diff --git a/fs/nfs/client.c b/fs/nfs/client.c index 75c9cd2..f525a2f 100644 --- a/fs/nfs/client.c +++ b/fs/nfs/client.c @@ -1073,7 +1073,7 @@ static int nfs4_init_client(struct nfs_client *clp, 1, flags & NFS_MOUNT_NORESVPORT); if (error < 0) goto error; - memcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr)); + strlcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr)); error = nfs_idmap_new(clp); if (error < 0) {
signature.asc
Description: This is a digitally signed message part