From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Ben Hutchings <ben@decadent.org.uk>,
Trond Myklebust <Trond.Myklebust@netapp.com>
Subject: [23/30] nfs: Avoid overrun when copying client IP address string
Date: Fri, 06 Nov 2009 13:56:26 -0800 [thread overview]
Message-ID: <20091106215952.988107330@mini.kroah.org> (raw)
In-Reply-To: <20091106220156.GA13813@kroah.com>
[-- Attachment #1: nfs-avoid-overrun-when-copying-client-ip-address-string.patch --]
[-- Type: text/plain, Size: 1104 bytes --]
2.6.29-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit f4373bf9e67e4a653c8854acd7b02dac9714c98a upstream.
As seen in <http://bugs.debian.org/549002>, nfs4_init_client() can
overrun the source string when copying the client IP address from
nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since
these are both treated as null-terminated strings elsewhere, the copy
should be done with strlcpy() not memcpy().
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/nfs/client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -983,7 +983,7 @@ static int nfs4_init_client(struct nfs_c
RPC_CLNT_CREATE_DISCRTRY);
if (error < 0)
goto error;
- memcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
+ strlcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
error = nfs_idmap_new(clp);
if (error < 0) {
next prev parent reply other threads:[~2009-11-06 22:08 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20091106215603.413650799@mini.kroah.org>
2009-11-06 22:01 ` [00/30] 2.6.27.39-stable review Greg KH
2009-11-06 21:56 ` [01/30] 8250_pci: add IBM Saturn serial card Greg KH
2009-11-06 21:56 ` [02/30] b43: Fix Bugzilla #14181 and the bug from the previous fix Greg KH
2009-11-06 21:56 ` [03/30] dpt_i2o: Fix up copy*user Greg KH
2009-11-06 21:56 ` [04/30] dpt_i2o: Fix typo of EINVAL Greg KH
2009-11-06 21:56 ` [05/30] Driver core: fix driver_register() return value Greg KH
2009-11-06 21:56 ` [06/30] fs: pipe.c null pointer dereference Greg KH
2009-11-06 21:56 ` [07/30] hfsplus: refuse to mount volumes larger than 2TB Greg KH
2009-11-06 21:56 ` [08/30] Input: synaptics - add another Protege M300 to rate blacklist Greg KH
2009-11-06 21:56 ` [09/30] libata: fix internal command failure handling Greg KH
2009-11-06 21:56 ` [10/30] libertas if_usb: Fix crash on 64-bit machines Greg KH
2009-11-06 21:56 ` [11/30] mbind(): fix leak of never putback pages Greg KH
2009-11-06 21:56 ` [12/30] ray_cs: Fix copy_from_user handling Greg KH
2009-11-06 21:56 ` [13/30] Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible" Greg KH
2009-11-06 21:56 ` [14/30] tty: Mark generic_serial users as BROKEN Greg KH
2009-11-06 21:56 ` [15/30] x86-64: Fix register leak in 32-bit syscall audting Greg KH
2009-11-06 21:56 ` [16/30] AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621) Greg KH
2009-11-06 21:56 ` [17/30] appletalk: Fix skb leak when ipddp interface is not loaded (CVE-2009-2903) Greg KH
2009-11-06 21:56 ` [18/30] netlink: fix typo in initialization (CVE-2009-3612) Greg KH
2009-11-06 21:56 ` [19/30] KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID (CVE-2009-3638) Greg KH
2009-11-06 21:56 ` [20/30] irda: Add irda_skb_cb qdisc related padding Greg KH
2009-11-06 21:56 ` [21/30] nfs: Panic when commit fails Greg KH
2009-11-06 21:56 ` [22/30] NFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE Greg KH
2009-11-06 21:56 ` Greg KH [this message]
2009-11-06 21:56 ` [24/30] NFSv4: Kill nfs4_renewd_prepare_shutdown() Greg KH
2009-11-06 21:56 ` [25/30] NFSv4: Fix a problem whereby a buggy server can oops the kernel Greg KH
2009-11-06 21:56 ` [26/30] NFSv4: The link() operation should return any delegation on the file Greg KH
2009-11-06 21:56 ` [27/30] printk: robustify printk Greg KH
2009-11-06 21:56 ` [28/30] bonding: fix a race condition in calls to slave MII ioctls Greg KH
2009-11-06 21:56 ` [29/30] x86/amd-iommu: Un__init function required on shutdown Greg KH
2009-11-06 21:56 ` [30/30] x86/amd-iommu: Workaround for erratum 63 Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091106215952.988107330@mini.kroah.org \
--to=gregkh@suse.de \
--cc=Trond.Myklebust@netapp.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ben@decadent.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox