Bug#549002: [PATCH] nfs: Avoid overrun when copying client IP address string
As seen in http://bugs.debian.org/549002, nfs4_init_client() can overrun the source string when copying the client IP address from nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since these are both treated as null-terminated strings elsewhere, the copy should be done with strlcpy() not memcpy(). Signed-off-by: Ben Hutchings b...@decadent.org.uk --- diff --git a/fs/nfs/client.c b/fs/nfs/client.c index 75c9cd2..f525a2f 100644 --- a/fs/nfs/client.c +++ b/fs/nfs/client.c @@ -1073,7 +1073,7 @@ static int nfs4_init_client(struct nfs_client *clp, 1, flags NFS_MOUNT_NORESVPORT); if (error 0) goto error; - memcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr)); + strlcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr)); error = nfs_idmap_new(clp); if (error 0) { -- Ben Hutchings I say we take off; nuke the site from orbit. It's the only way to be sure. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#549002: [PATCH] nfs: Avoid overrun when copying client IP address string
On Sun, 2009-10-04 at 14:25 +0100, Ben Hutchings wrote: As seen in http://bugs.debian.org/549002, nfs4_init_client() can overrun the source string when copying the client IP address from nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since these are both treated as null-terminated strings elsewhere, the copy should be done with strlcpy() not memcpy(). Signed-off-by: Ben Hutchings b...@decadent.org.uk --- diff --git a/fs/nfs/client.c b/fs/nfs/client.c index 75c9cd2..f525a2f 100644 --- a/fs/nfs/client.c +++ b/fs/nfs/client.c @@ -1073,7 +1073,7 @@ static int nfs4_init_client(struct nfs_client *clp, 1, flags NFS_MOUNT_NORESVPORT); if (error 0) goto error; - memcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr)); + strlcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr)); error = nfs_idmap_new(clp); if (error 0) { It looks good, so I'll push it upstream. I assume the bug report also applies to sta...@kernel.org? Thanks! Trond -- Trond Myklebust Linux NFS client maintainer NetApp trond.mykleb...@netapp.com www.netapp.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#549002: [PATCH] nfs: Avoid overrun when copying client IP address string
On Sun, 2009-10-04 at 18:33 -0400, Trond Myklebust wrote: On Sun, 2009-10-04 at 14:25 +0100, Ben Hutchings wrote: As seen in http://bugs.debian.org/549002, nfs4_init_client() can overrun the source string when copying the client IP address from nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since these are both treated as null-terminated strings elsewhere, the copy should be done with strlcpy() not memcpy(). Signed-off-by: Ben Hutchings b...@decadent.org.uk --- diff --git a/fs/nfs/client.c b/fs/nfs/client.c index 75c9cd2..f525a2f 100644 --- a/fs/nfs/client.c +++ b/fs/nfs/client.c @@ -1073,7 +1073,7 @@ static int nfs4_init_client(struct nfs_client *clp, 1, flags NFS_MOUNT_NORESVPORT); if (error 0) goto error; - memcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr)); + strlcpy(clp-cl_ipaddr, ip_addr, sizeof(clp-cl_ipaddr)); error = nfs_idmap_new(clp); if (error 0) { It looks good, so I'll push it upstream. I assume the bug report also applies to sta...@kernel.org? This bug appears to have been present forever, though I think it has become a practical problem since nfs_client::cl_ipaddr was enlarged to 48 bytes in v2.6.25. So yes, the bug and fix are applicable to every stable series. Ben. -- Ben Hutchings I say we take off; nuke the site from orbit. It's the only way to be sure. signature.asc Description: This is a digitally signed message part