Re: rpc.mountd crashes when extensively using netgroups

[Steve Dickson <SteveD@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 2001 bytes --]

Stefan Walter wrote:
> 
> We do this on a much larger scale though. The bug we ran into is
> in line 96 in utils/mountd/auth.c. The strcpy can corrupt
> memory when it copies the string returned by client_compose() to
> my_client.m_hostname which has a fixed size of 1024 bytes. 
> For our example above, client_compose() returns "@joe,@jane"
> for any machine in the offices_1 netgroup. Unfortunately we have
> a machine to which roughly 150 netgroups like @joe or @jane
> export to and client_compose() returns a string over 1300 bytes
> long and rpc.mountd nicely segfaults.
>  
> To prevent the crash is of course trivial: Inserting a simple
> 'if (strlen(n) > 1024) return NULL;' before line 96 does the job.
Does the attached patch help?

> 
> There are however two issues for which we could not find an easy
> solution:
> 
>  1. For every client rpc.mountd and the kernel seem to exchange
>     and use lists with _all_ netgroups used in exports that are
>     relevant for granting permission to some share for a particular
>     client. We could imagine two optimizations here:
> 
>        * Resolve netgroups and only put the (member) netgroups that
>          contained the host name that would be used to authorize
>          a mount in the list.
> 
>        * Use the list of mounted paths per client and only put the
>          netgroup(s) used to export paths that are actually mounted
>          on a client. 
These sound reasonable...


>  
>  2. Using a fixed size for NFSCLNT_IDMAX does not scale. Mounting
>     shares on a client for which the 'if' clause of the quick fix
>     becomes true will not be possible. We thought about enlarging
>     NFSCLNT_IDMAX and using a custom kernel but dropped the idea. 
True...

> 
> Our ultimate goal is to get Red Hat fix the code in nfs-utils 1.0.6
> that is used in RHEL4. A first step would be to get a suitable fix in
> the current nfs-utils. 
Please open up bugs on all three of these issues and
we'll see what can done...

steved.


[-- Attachment #2: mountd-netgroup.patch --]
[-- Type: text/x-patch, Size: 763 bytes --]

commit 851ce1cb766cf295db85900aab804c0f82c12ab3
Author: Steve Dickson <steved@redhat.com>
Date:   Tue Jul 31 09:57:19 2007 -0400

    Stop rpc.mound from crashing by m_hostname becoming
    corrupted with very long host names.
    
    Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/utils/mountd/auth.c b/utils/mountd/auth.c
index f7fe23d..eff0ba7 100644
--- a/utils/mountd/auth.c
+++ b/utils/mountd/auth.c
@@ -93,7 +93,8 @@ auth_authenticate_internal(char *what, struct sockaddr_in *caller,
 		*error = unknown_host;
 		if (!n)
 			return NULL;
-		strcpy(my_client.m_hostname, *n?n:"DEFAULT");
+		snprintf(my_client.m_hostname, (NFSCLNT_IDMAX+1), 
+			"%s", *n?n:"DEFAULT");
 		free(n);
 		my_client.m_naddr = 1;
 		my_exp.m_client = &my_client;