Bug#549002: [PATCH] nfs: Avoid overrun when copying client IP address string
As seen in http://bugs.debian.org/549002, nfs4_init_client() can
overrun the source string when copying the client IP address from
nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since
these are both treated as null-terminated strings elsewhere, the copy
should be done with strlcpy() not memcpy().
Signed-off-by: Ben Hutchings b...@decadent.org.uk
---
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 75c9cd2..f525a2f 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -1073,7 +1073,7 @@ static int nfs4_init_client(struct nfs_client *clp,
1, flags NFS_MOUNT_NORESVPORT);
if (error 0)
goto error;
- memcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr));
+ strlcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr));
error = nfs_idmap_new(clp);
if (error 0) {
--
Ben Hutchings
I say we take off; nuke the site from orbit. It's the only way to be sure.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#549002: [PATCH] nfs: Avoid overrun when copying client IP address string
On Sun, 2009-10-04 at 14:25 +0100, Ben Hutchings wrote:
As seen in http://bugs.debian.org/549002, nfs4_init_client() can
overrun the source string when copying the client IP address from
nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since
these are both treated as null-terminated strings elsewhere, the copy
should be done with strlcpy() not memcpy().
Signed-off-by: Ben Hutchings b...@decadent.org.uk
---
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 75c9cd2..f525a2f 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -1073,7 +1073,7 @@ static int nfs4_init_client(struct nfs_client *clp,
1, flags NFS_MOUNT_NORESVPORT);
if (error 0)
goto error;
- memcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr));
+ strlcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr));
error = nfs_idmap_new(clp);
if (error 0) {
It looks good, so I'll push it upstream. I assume the bug report also
applies to sta...@kernel.org?
Thanks!
Trond
--
Trond Myklebust
Linux NFS client maintainer
NetApp
trond.mykleb...@netapp.com
www.netapp.com
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#549002: [PATCH] nfs: Avoid overrun when copying client IP address string
On Sun, 2009-10-04 at 18:33 -0400, Trond Myklebust wrote:
On Sun, 2009-10-04 at 14:25 +0100, Ben Hutchings wrote:
As seen in http://bugs.debian.org/549002, nfs4_init_client() can
overrun the source string when copying the client IP address from
nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since
these are both treated as null-terminated strings elsewhere, the copy
should be done with strlcpy() not memcpy().
Signed-off-by: Ben Hutchings b...@decadent.org.uk
---
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 75c9cd2..f525a2f 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -1073,7 +1073,7 @@ static int nfs4_init_client(struct nfs_client *clp,
1, flags NFS_MOUNT_NORESVPORT);
if (error 0)
goto error;
- memcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr));
+ strlcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr));
error = nfs_idmap_new(clp);
if (error 0) {
It looks good, so I'll push it upstream. I assume the bug report also
applies to sta...@kernel.org?
This bug appears to have been present forever, though I think it has
become a practical problem since nfs_client::cl_ipaddr was enlarged to
48 bytes in v2.6.25. So yes, the bug and fix are applicable to every
stable series.
Ben.
--
Ben Hutchings
I say we take off; nuke the site from orbit. It's the only way to be sure.
signature.asc
Description: This is a digitally signed message part
