Author: kib
Date: Thu Feb 16 06:36:16 2017
New Revision: 313800
URL: https://svnweb.freebsd.org/changeset/base/313800
Log:
Do not access memory past the buffer end.
Do not accept and silently truncate too long hostname.
Reported and tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Modified:
head/sys/fs/nfsclient/nfs_clvfsops.c
Modified: head/sys/fs/nfsclient/nfs_clvfsops.c
==============================================================================
--- head/sys/fs/nfsclient/nfs_clvfsops.c Thu Feb 16 06:34:20 2017
(r313799)
+++ head/sys/fs/nfsclient/nfs_clvfsops.c Thu Feb 16 06:36:16 2017
(r313800)
@@ -1270,8 +1270,13 @@ nfs_mount(struct mount *mp)
error = EINVAL;
goto out;
}
- bcopy(args.hostname, hst, MNAMELEN);
- hst[MNAMELEN - 1] = '\0';
+ if (len >= MNAMELEN) {
+ vfs_mount_error(mp, "Hostname too long");
+ error = EINVAL;
+ goto out;
+ }
+ bcopy(args.hostname, hst, len);
+ hst[len] = '\0';
}
if (vfs_getopt(mp->mnt_optnew, "principal", (void **)&name, NULL) == 0)
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
