On Tue, 2009-10-06 at 21:37 +0200, Christian Salzmann wrote: > Hi Ben, > > I tracked this bug down and a fix should be in the next stable update. > > > Wow, thank you for your immediate response! > > Although the fix is "obvious" to me looking at the code, it would be better > > if you could verify the fix on your system. Are you happy to build and > > install a new kernel package, given instructions? > > > This wouldn't be the first one, so any patch is welcome ;-) The patch is attached. Instructions for rebuilding the kernel package are at <http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official>. Make sure that APT downloads the source from stable-security, not from unstable. Ben. -- Ben Hutchings To err is human; to really foul things up requires a computer.
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 04 Oct 2009 14:25:50 +0100
Subject: [PATCH] nfs: Avoid overrun when copying client IP address string
As seen in <http://bugs.debian.org/549002>, nfs4_init_client() can
overrun the source string when copying the client IP address from
nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since
these are both treated as null-terminated strings elsewhere, the copy
should be done with strlcpy() not memcpy().
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 75c9cd2..f525a2f 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -1073,7 +1073,7 @@ static int nfs4_init_client(struct nfs_client *clp,
1, flags & NFS_MOUNT_NORESVPORT);
if (error < 0)
goto error;
- memcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
+ strlcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
error = nfs_idmap_new(clp);
if (error < 0) {
Attachment:
signature.asc
Description: This is a digitally signed message part