Re: rpc.mountd crashes when extensively using netgroups

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Steve Dickson <SteveD@redhat.com>
To: Satyam Sharma <satyam@infradead.org>
Cc: Stefan Walter <stefan.walter@inf.ethz.ch>, linux-kernel@vger.kernel.org
Subject: Re: rpc.mountd crashes when extensively using netgroups
Date: Fri, 03 Aug 2007 10:51:40 -0400	[thread overview]
Message-ID: <46B340FC.7030209@RedHat.com> (raw)
In-Reply-To: <alpine.LFD.0.999.0708030801090.23798@enigma.security.iitk.ac.in>



Satyam Sharma wrote:
> Hi,
> 
> 
> On Thu, 2 Aug 2007, Stefan Walter wrote:
> 
>> Steve Dickson wrote:
>>> Stefan Walter wrote:
>>>> We do this on a much larger scale though. The bug we ran into is
>>>> in line 96 in utils/mountd/auth.c. The strcpy can corrupt
>>>> memory when it copies the string returned by client_compose() to
>>>> my_client.m_hostname which has a fixed size of 1024 bytes. For our
>>>> example above, client_compose() returns "@joe,@jane"
>>>> for any machine in the offices_1 netgroup. Unfortunately we have
>>>> a machine to which roughly 150 netgroups like @joe or @jane
>>> export to and client_compose() returns a string over 1300 bytes
>>>> long and rpc.mountd nicely segfaults.
>>>>  
>>>> To prevent the crash is of course trivial: Inserting a simple
>>>> 'if (strlen(n) > 1024) return NULL;' before line 96 does the job.
>>> Does the attached patch help?
>>>
>> rpc.mountd does not crash anymore but I get a 'permission denied' when
>> trying
>> to mount a share. Doing an 'strace rpc.mountd -F' reveals:
>>
>> ...
>> open("/proc/net/rpc/auth.unix.ip/channel", O_WRONLY|O_CREAT|O_TRUNC,
>> 0666) = 9
>> fstat64(9, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
>> 0) = 0xb7f41000
>> time(NULL)                              = 1186041882
>> write(9, "nfsd 129.132.10.33 1186043682 @a"..., 1024) = -1 EINVAL
>> (Invalid argument)
>> write(9, "\n", 1)                       = -1 EINVAL (Invalid argument)
>> close(9)                                = 0
>> munmap(0xb7f41000, 4096)                = 0
>> open("/proc/net/rpc/nfsd.export/channel", O_WRONLY|O_CREAT|O_TRUNC,
>> 0666) = 9
>> fstat64(9, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
>> 0) = 0xb7f41000
>> write(9, "@anbuehle,@anhorni,@antoinet,@ap"..., 1024) = -1 EINVAL
>> (Invalid argument)
>> time(NULL)                              = 1186041882
>> write(9, "/export/groups/grossm/h1/home/gr"..., 68) = -1 ENOENT (No such
>> file or directory)
>> close(9)                                = 0
>> munmap(0xb7f41000, 4096)                = 0
>> open("/proc/fs/nfsd/filehandle", O_RDWR) = 9
>> fstat64(9, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
>> 0) = 0xb7f41000
>> write(9, "@anbuehle,@anhorni,@antoinet,@ap"..., 1066) = -1 EPERM
>> (Operation not permitted)
>> ...
> 
> Yup, the snprintf() in the patch would've truncated the input string.
> 
> Steve (D), you should check the return of snprintf() and compare against
> the size specified (NFSCLNT_IDMAX+1) and do a graceful cleanup + print
> an error message to the user, when detecting truncation of input:
> 
> 
> err = snprintf(my_client.m_hostname, (NFSCLNT_IDMAX+1), "%s", *n?n:"DEFAULT");
> if (err >= (NFSCLNT_IDMAX+1)) {
> 	printf("too large input string ...\n");
> 	/* cleanups and graceful exit */
> }
> 
cool... thanks!

steved.

next prev parent reply	other threads:[~2007-08-03 14:52 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-30 12:55 rpc.mountd crashes when extensively using netgroups Stefan Walter
2007-07-31 13:59 ` Steve Dickson
2007-08-02  9:04   ` Stefan Walter
2007-08-03  2:40     ` Satyam Sharma
2007-08-03 14:51       ` Steve Dickson [this message]
2007-07-31 14:48 ` J. Bruce Fields
2007-08-02 15:32   ` [NFS] " Jeff Layton
2007-08-02 16:05     ` J. Bruce Fields
2007-08-02 16:28       ` Jeff Layton
2007-08-03  3:01     ` Neil Brown
2007-08-03  7:57       ` Stefan Walter
2007-08-03 16:07       ` J. Bruce Fields

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46B340FC.7030209@RedHat.com \
    --to=steved@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=satyam@infradead.org \
    --cc=stefan.walter@inf.ethz.ch \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox