On Sun, 2009-10-04 at 18:33 -0400, Trond Myklebust wrote:
> On Sun, 2009-10-04 at 14:25 +0100, Ben Hutchings wrote:
> > As seen in <http://bugs.debian.org/549002>, nfs4_init_client() can
> > overrun the source string when copying the client IP address from
> > nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since
> > these are both treated as null-terminated strings elsewhere, the copy
> > should be done with strlcpy() not memcpy().
> >
> > Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > ---
> > diff --git a/fs/nfs/client.c b/fs/nfs/client.c
> > index 75c9cd2..f525a2f 100644
> > --- a/fs/nfs/client.c
> > +++ b/fs/nfs/client.c
> > @@ -1073,7 +1073,7 @@ static int nfs4_init_client(struct nfs_client *clp,
> > 1, flags & NFS_MOUNT_NORESVPORT);
> > if (error < 0)
> > goto error;
> > - memcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
> > + strlcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
> >
> > error = nfs_idmap_new(clp);
> > if (error < 0) {
>
> It looks good, so I'll push it upstream. I assume the bug report also
> applies to stable@kernel.org?
This bug appears to have been present "forever", though I think it has
become a practical problem since nfs_client::cl_ipaddr was enlarged to
48 bytes in v2.6.25. So yes, the bug and fix are applicable to every
stable series.
Ben.
--
Ben Hutchings
I say we take off; nuke the site from orbit. It's the only way to be sure.
Attachment:
signature.asc
Description: This is a digitally signed message part