From: Steve Dickson <SteveD@redhat.com>
To: Neil Brown <neilb@suse.de>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH 1/2] Remove risk of nfs_addmntent corrupting mtab
Date: Mon, 23 May 2011 08:26:02 -0400 [thread overview]
Message-ID: <4DDA525A.802@RedHat.com> (raw)
In-Reply-To: <20110517045217.29020.16140.stgit-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
On 05/17/2011 12:52 AM, Neil Brown wrote:
> nfs_addmntent is used to append directly to /etc/mtab.
> If the write partially fail, e.g. due to RLIMIT_FSIZE,
> truncate back to original size and return an error.
>
> See also https://bugzilla.redhat.com/show_bug.cgi?id=697975
> (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE
>
> Signed-off-by: NeilBrown <neilb@suse.de>
> ---
>
> support/nfs/nfs_mntent.c | 9 +++++++++
> 1 files changed, 9 insertions(+), 0 deletions(-)
>
> diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c
> index a5216fc..a2118a2 100644
> --- a/support/nfs/nfs_mntent.c
> +++ b/support/nfs/nfs_mntent.c
> @@ -12,6 +12,7 @@
> #include <string.h> /* for index */
> #include <ctype.h> /* for isdigit */
> #include <sys/stat.h> /* for umask */
> +#include <unistd.h> /* for ftruncate */
>
> #include "nfs_mntent.h"
> #include "nls.h"
> @@ -127,9 +128,11 @@ int
> nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
> char *m1, *m2, *m3, *m4;
> int res;
> + off_t length;
>
> if (fseek (mfp->mntent_fp, 0, SEEK_END))
> return 1; /* failure */
> + length = ftell(mfp->mntent_fp);
>
> m1 = mangle(mnt->mnt_fsname);
> m2 = mangle(mnt->mnt_dir);
> @@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
> free(m2);
> free(m3);
> free(m4);
> + if (res >= 0) {
> + res = fflush(mfp->mntent_fp);
> + if (res < 0)
> + /* Avoid leaving a corrupt mtab file */
> + ftruncate(fileno(mfp->mntent_fp), length);
> + }
> return (res < 0) ? 1 : 0;
> }
>
>
>
Committed...
steved.
prev parent reply other threads:[~2011-05-23 12:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-17 4:52 [PATCH 0/2] Two small fixes for nfs-utils Neil Brown
2011-05-17 4:52 ` [PATCH 2/2] supress socket error when address family is not supported Neil Brown
[not found] ` <20110517045217.29020.46681.stgit-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
2011-05-17 6:29 ` mount.nfs4: Mounting failed, reason given by server: No such file or directory Taousif_Ansari-G5Y5guI6XLZWk0Htik3J/w
2011-05-17 6:38 ` Mi Jinlong
2011-05-23 12:26 ` [PATCH 2/2] supress socket error when address family is not supported Steve Dickson
2011-05-17 4:52 ` [PATCH 1/2] Remove risk of nfs_addmntent corrupting mtab Neil Brown
2011-05-17 13:45 ` Chuck Lever
[not found] ` <20110517045217.29020.16140.stgit-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
2011-05-23 12:26 ` Steve Dickson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DDA525A.802@RedHat.com \
--to=steved@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).