| Message ID | 20110517045217.29020.16140.stgit@notabene.brown (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On May 17, 2011, at 12:52 AM, Neil Brown wrote: > nfs_addmntent is used to append directly to /etc/mtab. > If the write partially fail, e.g. due to RLIMIT_FSIZE, > truncate back to original size and return an error. > > See also https://bugzilla.redhat.com/show_bug.cgi?id=697975 > (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE Seems reasonable. Is there a similar fix needed for libmount? > Signed-off-by: NeilBrown <neilb@suse.de> > --- > > support/nfs/nfs_mntent.c | 9 +++++++++ > 1 files changed, 9 insertions(+), 0 deletions(-) > > diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c > index a5216fc..a2118a2 100644 > --- a/support/nfs/nfs_mntent.c > +++ b/support/nfs/nfs_mntent.c > @@ -12,6 +12,7 @@ > #include <string.h> /* for index */ > #include <ctype.h> /* for isdigit */ > #include <sys/stat.h> /* for umask */ > +#include <unistd.h> /* for ftruncate */ > > #include "nfs_mntent.h" > #include "nls.h" > @@ -127,9 +128,11 @@ int > nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { > char *m1, *m2, *m3, *m4; > int res; > + off_t length; > > if (fseek (mfp->mntent_fp, 0, SEEK_END)) > return 1; /* failure */ > + length = ftell(mfp->mntent_fp); > > m1 = mangle(mnt->mnt_fsname); > m2 = mangle(mnt->mnt_dir); > @@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { > free(m2); > free(m3); > free(m4); > + if (res >= 0) { > + res = fflush(mfp->mntent_fp); > + if (res < 0) > + /* Avoid leaving a corrupt mtab file */ > + ftruncate(fileno(mfp->mntent_fp), length); > + } > return (res < 0) ? 1 : 0; > } > > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
On 05/17/2011 12:52 AM, Neil Brown wrote: > nfs_addmntent is used to append directly to /etc/mtab. > If the write partially fail, e.g. due to RLIMIT_FSIZE, > truncate back to original size and return an error. > > See also https://bugzilla.redhat.com/show_bug.cgi?id=697975 > (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE > > Signed-off-by: NeilBrown <neilb@suse.de> > --- > > support/nfs/nfs_mntent.c | 9 +++++++++ > 1 files changed, 9 insertions(+), 0 deletions(-) > > diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c > index a5216fc..a2118a2 100644 > --- a/support/nfs/nfs_mntent.c > +++ b/support/nfs/nfs_mntent.c > @@ -12,6 +12,7 @@ > #include <string.h> /* for index */ > #include <ctype.h> /* for isdigit */ > #include <sys/stat.h> /* for umask */ > +#include <unistd.h> /* for ftruncate */ > > #include "nfs_mntent.h" > #include "nls.h" > @@ -127,9 +128,11 @@ int > nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { > char *m1, *m2, *m3, *m4; > int res; > + off_t length; > > if (fseek (mfp->mntent_fp, 0, SEEK_END)) > return 1; /* failure */ > + length = ftell(mfp->mntent_fp); > > m1 = mangle(mnt->mnt_fsname); > m2 = mangle(mnt->mnt_dir); > @@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { > free(m2); > free(m3); > free(m4); > + if (res >= 0) { > + res = fflush(mfp->mntent_fp); > + if (res < 0) > + /* Avoid leaving a corrupt mtab file */ > + ftruncate(fileno(mfp->mntent_fp), length); > + } > return (res < 0) ? 1 : 0; > } > > > Committed... steved. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c index a5216fc..a2118a2 100644 --- a/support/nfs/nfs_mntent.c +++ b/support/nfs/nfs_mntent.c @@ -12,6 +12,7 @@ #include <string.h> /* for index */ #include <ctype.h> /* for isdigit */ #include <sys/stat.h> /* for umask */ +#include <unistd.h> /* for ftruncate */ #include "nfs_mntent.h" #include "nls.h" @@ -127,9 +128,11 @@ int nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { char *m1, *m2, *m3, *m4; int res; + off_t length; if (fseek (mfp->mntent_fp, 0, SEEK_END)) return 1; /* failure */ + length = ftell(mfp->mntent_fp); m1 = mangle(mnt->mnt_fsname); m2 = mangle(mnt->mnt_dir); @@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { free(m2); free(m3); free(m4); + if (res >= 0) { + res = fflush(mfp->mntent_fp); + if (res < 0) + /* Avoid leaving a corrupt mtab file */ + ftruncate(fileno(mfp->mntent_fp), length); + } return (res < 0) ? 1 : 0; }
nfs_addmntent is used to append directly to /etc/mtab. If the write partially fail, e.g. due to RLIMIT_FSIZE, truncate back to original size and return an error. See also https://bugzilla.redhat.com/show_bug.cgi?id=697975 (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE Signed-off-by: NeilBrown <neilb@suse.de> --- support/nfs/nfs_mntent.c | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html