Bug#549002: [PATCH] nfs: Avoid overrun when copying client IP address string

To: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: linux-nfs@vger.kernel.org, 549002@bugs.debian.org
Subject: Bug#549002: [PATCH] nfs: Avoid overrun when copying client IP address string
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 04 Oct 2009 14:25:49 +0100
Message-id: <[🔎] 1254662749.2395.68.camel@localhost>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 549002@bugs.debian.org

As seen in <http://bugs.debian.org/549002>, nfs4_init_client() can
overrun the source string when copying the client IP address from
nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr.  Since
these are both treated as null-terminated strings elsewhere, the copy
should be done with strlcpy() not memcpy().

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 75c9cd2..f525a2f 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -1073,7 +1073,7 @@ static int nfs4_init_client(struct nfs_client *clp,
 				      1, flags & NFS_MOUNT_NORESVPORT);
 	if (error < 0)
 		goto error;
-	memcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
+	strlcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
 
 	error = nfs_idmap_new(clp);
 	if (error < 0) {

-- 
Ben Hutchings
I say we take off; nuke the site from orbit.  It's the only way to be sure.

Reply to:

Follow-Ups:
- Bug#549002: [PATCH] nfs: Avoid overrun when copying client IP address string
  - From: Trond Myklebust <Trond.Myklebust@netapp.com>

Prev by Date: Bug#549002: linux-image-2.6.26-2-xen-amd64: Kernel Oops - autofs5 nfs4 mount
Next by Date: Processed: retitle 548090 to [amd64-agp] BUG: unable to handle kernel NULL pointer dereference
Previous by thread: Bug#549002: linux-image-2.6.26-2-xen-amd64: Kernel Oops - autofs5 nfs4 mount
Next by thread: Bug#549002: [PATCH] nfs: Avoid overrun when copying client IP address string
Index(es):
- Date
- Thread