From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Ben Hutchings <ben@decadent.org.uk>,
Trond Myklebust <Trond.Myklebust@netapp.com>
Subject: [23/30] nfs: Avoid overrun when copying client IP address string
Date: Fri, 06 Nov 2009 13:56:26 -0800 [thread overview]
Message-ID: <20091106215952.988107330@mini.kroah.org> (raw)
In-Reply-To: <20091106220156.GA13813@kroah.com>
[-- Attachment #1: nfs-avoid-overrun-when-copying-client-ip-address-string.patch --]
[-- Type: text/plain, Size: 1104 bytes --]
2.6.29-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit f4373bf9e67e4a653c8854acd7b02dac9714c98a upstream.
As seen in <http://bugs.debian.org/549002>, nfs4_init_client() can
overrun the source string when copying the client IP address from
nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since
these are both treated as null-terminated strings elsewhere, the copy
should be done with strlcpy() not memcpy().
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/nfs/client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -983,7 +983,7 @@ static int nfs4_init_client(struct nfs_c
RPC_CLNT_CREATE_DISCRTRY);
if (error < 0)
goto error;
- memcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
+ strlcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
error = nfs_idmap_new(clp);
if (error < 0) {
next prev parent reply other threads:[~2009-11-06 22:08 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20091106215603.413650799@mini.kroah.org>
2009-11-06 22:01 ` [00/30] 2.6.27.39-stable review Greg KH
2009-11-06 21:56 ` [01/30] 8250_pci: add IBM Saturn serial card Greg KH
2009-11-06 21:56 ` [02/30] b43: Fix Bugzilla #14181 and the bug from the previous fix Greg KH
2009-11-06 21:56 ` [03/30] dpt_i2o: Fix up copy*user Greg KH
2009-11-06 21:56 ` [04/30] dpt_i2o: Fix typo of EINVAL Greg KH
2009-11-06 21:56 ` [05/30] Driver core: fix driver_register() return value Greg KH
2009-11-06 21:56 ` [06/30] fs: pipe.c null pointer dereference Greg KH
2009-11-06 21:56 ` [07/30] hfsplus: refuse to mount volumes larger than 2TB Greg KH
2009-11-06 21:56 ` [08/30] Input: synaptics - add another Protege M300 to rate blacklist Greg KH
2009-11-06 21:56 ` [09/30] libata: fix internal command failure handling Greg KH
2009-11-06 21:56 ` [10/30] libertas if_usb: Fix crash on 64-bit machines Greg KH
2009-11-06 21:56 ` [11/30] mbind(): fix leak of never putback pages Greg KH
2009-11-06 21:56 ` [12/30] ray_cs: Fix copy_from_user handling Greg KH
2009-11-06 21:56 ` [13/30] Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible" Greg KH
2009-11-06 21:56 ` [14/30] tty: Mark generic_serial users as BROKEN Greg KH
2009-11-06 21:56 ` [15/30] x86-64: Fix register leak in 32-bit syscall audting Greg KH
2009-11-06 21:56 ` [16/30] AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621) Greg KH
2009-11-06 21:56 ` [17/30] appletalk: Fix skb leak when ipddp interface is not loaded (CVE-2009-2903) Greg KH
2009-11-06 21:56 ` [18/30] netlink: fix typo in initialization (CVE-2009-3612) Greg KH
2009-11-06 21:56 ` [19/30] KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID (CVE-2009-3638) Greg KH
2009-11-06 21:56 ` [20/30] irda: Add irda_skb_cb qdisc related padding Greg KH
2009-11-06 21:56 ` [21/30] nfs: Panic when commit fails Greg KH
2009-11-06 21:56 ` [22/30] NFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE Greg KH
2009-11-06 21:56 ` Greg KH [this message]
2009-11-06 21:56 ` [24/30] NFSv4: Kill nfs4_renewd_prepare_shutdown() Greg KH
2009-11-06 21:56 ` [25/30] NFSv4: Fix a problem whereby a buggy server can oops the kernel Greg KH
2009-11-06 21:56 ` [26/30] NFSv4: The link() operation should return any delegation on the file Greg KH
2009-11-06 21:56 ` [27/30] printk: robustify printk Greg KH
2009-11-06 21:56 ` [28/30] bonding: fix a race condition in calls to slave MII ioctls Greg KH
2009-11-06 21:56 ` [29/30] x86/amd-iommu: Un__init function required on shutdown Greg KH
2009-11-06 21:56 ` [30/30] x86/amd-iommu: Workaround for erratum 63 Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091106215952.988107330@mini.kroah.org \
--to=gregkh@suse.de \
--cc=Trond.Myklebust@netapp.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ben@decadent.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.