From 89366123426f780fb549e4eeaba7a46ab0cf9a87 Mon Sep 17 00:00:00 2001 From: zoulasc Date: Mon, 1 Sep 2014 04:19:43 -0400 Subject: [PATCH] From Ian Kent (raven at themaw) dot net: In amfs_mount() the function get_root_nfs_fh() is assumed to return an NFSv2 handle but, if nfs_dispatcher != 2 it will write an NFSv3 handle to the NFSv2 structure, possibly overflowing the variable. --- ChangeLog | 5 +++++ amd/amd.h | 3 ++- amd/autil.c | 10 ++++------ amd/map.c | 11 +++++------ 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 00704b8a..7be0fb4e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2014-09-01 Christos Zoulas + + * bug fix from raven at themaw.net to prevent writing v3 handle + to a v2 structure. + 2014-07-21 Christos Zoulas * fix permission problems with access diff --git a/amd/amd.h b/amd/amd.h index b9bdcf52..f66f5b75 100644 --- a/amd/amd.h +++ b/amd/amd.h @@ -550,7 +550,7 @@ extern amq_sync_umnt *amqproc_sync_umnt_1_svc_async(voidp argp, struct svc_req * extern amq_map_info_list *amqproc_getmapinfo_1_svc(voidp argp, struct svc_req *rqstp); /* other external definitions */ -extern am_nfs_fh *get_root_nfs_fh(char *dir); +extern am_nfs_handle_t *get_root_nfs_fh(char *dir, am_nfs_handle_t *nfh); extern am_node *find_ap(char *); extern am_node *get_ap_child(am_node *, char *); extern bool_t xdr_amq_mount_info_qelem(XDR *xdrs, qelem *qhead); @@ -635,6 +635,7 @@ extern int mount_auto_node(char *, opaque_t); extern int mount_automounter(int); extern int mount_exported(void); extern void mp_to_fh(am_node *, am_nfs_fh *); +extern void mp_to_fh3(am_node *mp, am_nfs_fh3 *fhp); extern void new_ttl(am_node *); extern void nfs_quick_reply(am_node *mp, int error); extern void normalize_slash(char *); diff --git a/amd/autil.c b/amd/autil.c index cc073e89..cd9514d4 100644 --- a/amd/autil.c +++ b/amd/autil.c @@ -524,8 +524,7 @@ amfs_mount(am_node *mp, mntfs *mf, char *opts) again: if (!(mf->mf_flags & MFF_IS_AUTOFS)) { nfs_args_t nfs_args; - am_nfs_fh *fhp; - am_nfs_handle_t anh; + am_nfs_handle_t *fhp, anh; #ifndef HAVE_TRANSPORT_TYPE_TLI u_short port; struct sockaddr_in sin; @@ -534,7 +533,7 @@ again: /* * get fhandle of remote path for automount point */ - fhp = get_root_nfs_fh(dir); + fhp = get_root_nfs_fh(dir, &anh); if (!fhp) { plog(XLOG_FATAL, "Can't find root file handle for %s", dir); return EINVAL; @@ -558,7 +557,6 @@ again: #endif /* not HAVE_TRANSPORT_TYPE_TLI */ /* setup the many fields and flags within nfs_args */ - memmove(&anh.v2, fhp, sizeof(*fhp)); #ifdef HAVE_TRANSPORT_TYPE_TLI compute_nfs_args(&nfs_args, &mnt, @@ -567,7 +565,7 @@ again: NULL, /* remote host IP addr is set below */ nfs_version, "udp", - &anh, + fhp, fs_hostname, pid_fsname); /* @@ -588,7 +586,7 @@ again: &sin, nfs_version, "udp", - &anh, + fhp, fs_hostname, pid_fsname); #endif /* not HAVE_TRANSPORT_TYPE_TLI */ diff --git a/amd/map.c b/amd/map.c index d924d703..fce8273e 100644 --- a/amd/map.c +++ b/amd/map.c @@ -542,17 +542,16 @@ find_ap(char *dir) * This is used during the bootstrap to tell the kernel * the filehandles of the initial automount points. */ -am_nfs_fh * -get_root_nfs_fh(char *dir) +am_nfs_handle_t * +get_root_nfs_fh(char *dir, am_nfs_handle_t *nfh) { - static am_nfs_fh nfh; am_node *mp = get_root_ap(dir); if (mp) { if (nfs_dispatcher == nfs_program_2) - mp_to_fh(mp, &nfh); + mp_to_fh(mp, &nfh->v2); else - mp_to_fh3(mp, &nfh); - return &nfh; + mp_to_fh3(mp, &nfh->v3); + return nfh; } /* -- 2.34.1