[PATCH 6/6] v4_root_add_parents: remove a possible buffer overflow.

Neil Brown <neilb@xxxxxxx> · Tue, 24 Apr 2012 15:46:38 +1000

The loop in v4root_add_parents() is a little odd.
The first time through, 'ptr' points immediately "beyond"
a '/' character (the first).  For every other iterration it points
directly "at" a '/' character.
Such inconsistency is error prone and infact there is an error.
If "path" is precisely "/", then the first call to
   ptr = strchr(ptr, '/')

will be given a 'ptr' which is beyond the '\0' at the end of
"path".  This could potentially contain anything and the strchr()
could search well beyond a buffer (though this depends on exactly how
the string is set up which depends on separate code).

So change the loop to have 'ptr' always point at a '/', and
handle the special case of "/" explicitly.

Signed-off-by: NeilBrown <neilb@xxxxxxx>
---

 utils/mountd/v4root.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
index 57ee0b2..708eb61 100644
--- a/utils/mountd/v4root.c
+++ b/utils/mountd/v4root.c
@@ -150,13 +150,13 @@ static int v4root_add_parents(nfs_export *exp)
 				"pseudo export for '%s'", exp->m_export.e_path);
 		return -ENOMEM;
 	}
-	for (ptr = path + 1; ptr; ptr = strchr(ptr, '/')) {
+	for (ptr = path; ptr; ptr = strchr(ptr, '/')) {
 		int ret;
 		char saved;
 
 		saved = *ptr;
 		*ptr = '\0';
-		ret = pseudofs_update(hostname, path, exp);
+		ret = pseudofs_update(hostname, *path ? path : "/", exp);
 		if (ret)
 			return ret;
 		*ptr = saved;


--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[PATCH 6/6] v4_root_add_parents: remove a possible buffer overflow.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]