Stefan Walter wrote:
> 
> We do this on a much larger scale though. The bug we ran into is
> in line 96 in utils/mountd/auth.c. The strcpy can corrupt
> memory when it copies the string returned by client_compose() to
> my_client.m_hostname which has a fixed size of 1024 bytes. 
> For our example above, client_compose() returns "@joe,@jane"
> for any machine in the offices_1 netgroup. Unfortunately we have
> a machine to which roughly 150 netgroups like @joe or @jane
> export to and client_compose() returns a string over 1300 bytes
> long and rpc.mountd nicely segfaults.
>  
> To prevent the crash is of course trivial: Inserting a simple
> 'if (strlen(n) > 1024) return NULL;' before line 96 does the job.
Does the attached patch help?

> 
> There are however two issues for which we could not find an easy
> solution:
> 
>  1. For every client rpc.mountd and the kernel seem to exchange
>     and use lists with _all_ netgroups used in exports that are
>     relevant for granting permission to some share for a particular
>     client. We could imagine two optimizations here:
> 
>        * Resolve netgroups and only put the (member) netgroups that
>          contained the host name that would be used to authorize
>          a mount in the list.
> 
>        * Use the list of mounted paths per client and only put the
>          netgroup(s) used to export paths that are actually mounted
>          on a client. 
These sound reasonable...


>  
>  2. Using a fixed size for NFSCLNT_IDMAX does not scale. Mounting
>     shares on a client for which the 'if' clause of the quick fix
>     becomes true will not be possible. We thought about enlarging
>     NFSCLNT_IDMAX and using a custom kernel but dropped the idea. 
True...

> 
> Our ultimate goal is to get Red Hat fix the code in nfs-utils 1.0.6
> that is used in RHEL4. A first step would be to get a suitable fix in
> the current nfs-utils. 
Please open up bugs on all three of these issues and
we'll see what can done...

steved.