bin/170295: mountd: correct credentials parsing in -mapall and -maproot options
>Number: 170295
>Category: bin
>Synopsis: mountd: correct credentials parsing in -mapall and -maproot
>options
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible:freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 31 13:00:25 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Andrey Simonenko
>Release:FreeBSD 10.0-CURRENT amd64
>Organization:
>Environment:
>Description:
The usr.sbin/mountd/mountd.c:parsecred() function has the following mistakes:
1. It has buffer overflow if number of GIDs of some user is greater than
the XU_NGROUPS value, incorrect usage of getgrouplist(3).
2. It incorrectly gets group lists for a user given without groups: it
forgets about a single group of a user or forgets about the first
supplementary group of a user.
3. If a user is unknown it silently uses -2:-2 credentials and this
does not correspond to exports(5) rules.
4. If a group is unknown, then it ignores this group and this
does not correspond to exports(5) rules.
5. It uses atoi(3) function to parse UID and GID, and does not check
any mistakes in numbers.
>How-To-Repeat:
>Fix:
--- mountd.c.orig 2012-01-20 13:19:39.0 +0200
+++ mountd.c2012-07-31 15:31:39.0 +0300
@@ -199,7 +199,7 @@ int makemask(struct sockaddr_storage *ss
void mntsrv(struct svc_req *, SVCXPRT *);
void nextfield(char **, char **);
void out_of_mem(void);
-void parsecred(char *, struct xucred *);
+static int parsecred(char *, struct xucred *);
intparsesec(char *, struct exportlist *);
intput_exlist(struct dirlist *, XDR *, struct dirlist *, int *, int);
void *sa_rawaddr(struct sockaddr *sa, int *nbytes);
@@ -2140,7 +2140,8 @@ do_opt(char **cpp, char **endcpp, struct
!(allflag = strcmp(cpopt, "mapall")) ||
!strcmp(cpopt, "root") || !strcmp(cpopt, "r"))) {
usedarg++;
- parsecred(cpoptarg, cr);
+ if (parsecred(cpoptarg, cr))
+ return (1);
if (allflag == 0) {
*exflagsp |= MNT_EXPORTANON;
opt_flags |= OP_MAPALL;
@@ -2760,81 +2761,100 @@ get_line(void)
/*
* Parse a description of a credential.
*/
-void
+static int
parsecred(char *namelist, struct xucred *cr)
{
- char *name;
- int cnt;
- char *names;
- struct passwd *pw;
- struct group *gr;
- gid_t groups[XU_NGROUPS + 1];
+ const struct group *gr;
+ const struct passwd *pw;
+ const char *errstr, *username;
+ char *name, *names;
+ uid_t uid;
int ngroups;
- cr->cr_version = XUCRED_VERSION;
- /*
-* Set up the unprivileged user.
-*/
- cr->cr_uid = -2;
- cr->cr_groups[0] = -2;
- cr->cr_ngroups = 1;
/*
* Get the user's password table entry.
*/
names = strsep(&namelist, " \t\n");
- name = strsep(&names, ":");
- if (isdigit(*name) || *name == '-')
- pw = getpwuid(atoi(name));
- else
- pw = getpwnam(name);
- /*
-* Credentials specified as those of a user.
-*/
- if (names == NULL) {
- if (pw == NULL) {
- syslog(LOG_ERR, "unknown user: %s", name);
- return;
+ username = name = strsep(&names, ":");
+ errno = 0;
+ pw = getpwnam(name);
+ if (pw == NULL) {
+ if (errno != 0) {
+ syslog(LOG_ERR, "getpwnam: %m");
+ return (1);
+ }
+ uid = (uid_t)strtonum(name, 0, UID_MAX, &errstr);
+ if (errstr != NULL) {
+ if (errno == ERANGE)
+ syslog(LOG_ERR, "UID %s is %s", name, errstr);
+ else
+ syslog(LOG_ERR, "unknown user: %s", name);
+ return (1);
+ }
+ if (names == NULL) {
+ errno = 0;
+ pw = getpwuid(uid);
+ if (pw == NULL) {
+ if (errno != 0)
+ syslog(LOG_ERR, "getpwuid: %m");
+ else
+ syslog(LOG_ERR, "unknown user: %s",
+ name);
+ return (1);
+ }
}
- cr->cr_uid = pw->pw_uid;
- ngroups = XU_NGROUPS + 1;
- if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups))
- syslog(LOG_ERR, "too many groups");
+ } else
+
Re: kern/170281: [ath] 802.11n locks up on aggregation setup (ampdutx)
Old Synopsis: ath 802.11n locks up on aggregation setup (ampdutx) New Synopsis: [ath] 802.11n locks up on aggregation setup (ampdutx) Responsible-Changed-From-To: freebsd-bugs->freebsd-wireless Responsible-Changed-By: linimon Responsible-Changed-When: Tue Jul 31 14:55:51 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=170281 ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Re: ports/170290: devel/pylint broken after latest update due to permissions issue
Old Synopsis: pylint broken after latest update due to permissions issue New Synopsis: devel/pylint broken after latest update due to permissions issue Responsible-Changed-From-To: freebsd-bugs->freebsd-ports-bugs Responsible-Changed-By: linimon Responsible-Changed-When: Tue Jul 31 14:56:31 UTC 2012 Responsible-Changed-Why: ports PR. http://www.freebsd.org/cgi/query-pr.cgi?pr=170290 ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Re: kern/170058: [cbb] [patch] cardbus slot is not functioning correctly after a resume
The following reply was made to PR kern/170058; it has been noted by GNATS. From: John Baldwin To: bug-follo...@freebsd.org, adr...@freebsd.org Cc: Subject: Re: kern/170058: [cbb] [patch] cardbus slot is not functioning correctly after a resume Date: Tue, 31 Jul 2012 10:56:49 -0400 Your patch is probably close to correct. You should not need the d0 bit for the cbb device itself (the PCI bus should do that), but the PCI bus driver only saves config register information for type 0 devices. The PCI-PCI bridge driver restores its config registers on its own, and cbb should do the same. -- John Baldwin ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Re: kern/170058: [cbb] [patch] cardbus slot is not functioning correctly after a resume
The following reply was made to PR kern/170058; it has been noted by GNATS. From: Adrian Chadd To: John Baldwin Cc: bug-follo...@freebsd.org Subject: Re: kern/170058: [cbb] [patch] cardbus slot is not functioning correctly after a resume Date: Tue, 31 Jul 2012 11:39:56 -0700 On 31 July 2012 07:56, John Baldwin wrote: > Your patch is probably close to correct. You should not need the d0 bit for > the cbb device itself (the PCI bus should do that), but the PCI bus driver > only saves config register information for type 0 devices. The PCI-PCI > bridge > driver restores its config registers on its own, and cbb should do the same. Ok, I'll commit this for -HEAD and MFC it to -9. Thanks, Adrian ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Re: kern/170058: commit references a PR
The following reply was made to PR kern/170058; it has been noted by GNATS. From: dfil...@freebsd.org (dfilter service) To: bug-follo...@freebsd.org Cc: Subject: Re: kern/170058: commit references a PR Date: Tue, 31 Jul 2012 18:47:32 + (UTC) Author: adrian Date: Tue Jul 31 18:47:17 2012 New Revision: 238954 URL: http://svn.freebsd.org/changeset/base/238954 Log: Restore the PCI bridge configuration upon resume. This allows my TI1510 cardbus/PCI bridge to work after a suspend/resume, without having to unload/reload the cbb driver. I've also tested this on stable/9. I'll MFC it shortly. PR: kern/170058 Reviewed by: jhb MFC after: 1 day Modified: head/sys/dev/pccbb/pccbb_pci.c Modified: head/sys/dev/pccbb/pccbb_pci.c == --- head/sys/dev/pccbb/pccbb_pci.c Tue Jul 31 18:44:10 2012 (r238953) +++ head/sys/dev/pccbb/pccbb_pci.c Tue Jul 31 18:47:17 2012 (r238954) @@ -465,6 +465,11 @@ cbb_chipinit(struct cbb_softc *sc) if (pci_read_config(sc->dev, PCIR_LATTIMER, 1) < 0x20) pci_write_config(sc->dev, PCIR_LATTIMER, 0x20, 1); + /* Restore bus configuration */ + pci_write_config(sc->dev, PCIR_PRIBUS_2, sc->pribus, 1); + pci_write_config(sc->dev, PCIR_SECBUS_2, sc->secbus, 1); + pci_write_config(sc->dev, PCIR_SUBBUS_2, sc->subbus, 1); + /* Enable memory access */ PCI_MASK_CONFIG(sc->dev, PCIR_COMMAND, | PCIM_CMD_MEMEN ___ svn-src-...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org" ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Re: bin/170288: camcontrol(8) inquiry command does not provide information for ata(4) harddisks
The following reply was made to PR bin/170288; it has been noted by GNATS. From: Andriy Gapon To: bug-follo...@freebsd.org, dr2...@pacbell.net Cc: Subject: Re: bin/170288: camcontrol(8) inquiry command does not provide information for ata(4) harddisks Date: Wed, 01 Aug 2012 00:49:08 +0300 Not sure what problem you are reporting here... What you observe is by design. "CAM" in camcontrol stands for "Common Access _Method_", it doesn't stand for unified command interface. SCSI has 'inquiry', ATA has 'identify'. Please clarify. -- Andriy Gapon ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
misc/170302: [ath] 802.11n frames are not being transmitted with multiple rates
>Number: 170302 >Category: misc >Synopsis: [ath] 802.11n frames are not being transmitted with multiple >rates >Confidential: no >Severity: non-critical >Priority: low >Responsible:freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 31 23:50:09 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Adrian Chadd >Release:9.0-STABLE i386, with -HEAD net80211/ath >Organization: >Environment: FreeBSD marilyn 9.0-STABLE FreeBSD 9.0-STABLE #6 r238210M: Sat Jul 21 16:59:42 PDT 2012 adrian@marilyn:/home/adrian/work/freebsd/stable/9/sys/i386/compile/MARILYN-9-STABLE i386 >Description: When doing some debugging, I noticed that the rate control code is not transmitting frames with multiple rate retries. For example, with 'sysctl dev.ath.0.debug=2' set (TX descriptor debugging): Q1[ 0] (DS.V:0xea739000 DS.P:0x1d29c000) L: D:3958d82c F:0005 Seq: 1904 swtry: 0 ADDBAW?: 0 DOBAW?: 0 417f0242 8240 00048000 008f 803a 009f 3f00 3f00 3f00 0080292c 0101 4ccfdabf 2d80282a 80808080 80808080 80808080 056b [end] Q1[ 0] (DS.V:0xea739000 DS.P:0x1d29c000) L: D:3958d82c F:0005 * Seq: 1904 swtry: 0 ADDBAW?: 0 DOBAW?: 0 417f0242 8240 00048000 008f 803a 009f 3f00 3f00 3f00 0080292c 0101 4ccfdabf 2d80282a 80808080 80808080 80808080 056b [end] . descriptor field 3 is 0x8f, which shows only one 11n rate (rate attempt #0) is set. >How-To-Repeat: associate to an 802.11n AP. >Fix: The TX and rate control paths assume that if RTS/CTS is enabled, multi-rate retry should be disabled. This is because of a limitation with the pre-11n chips - the AR5212 supports multi-rate retry but not with RTS/CTS enabled. >Release-Note: >Audit-Trail: >Unformatted: ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Re: kern/170302: [ath] 802.11n frames are not being transmitted with multiple rates
Synopsis: [ath] 802.11n frames are not being transmitted with multiple rates Responsible-Changed-From-To: freebsd-bugs->freebsd-wireless Responsible-Changed-By: adrian Responsible-Changed-When: Tue Jul 31 23:51:48 UTC 2012 Responsible-Changed-Why: Punt to maintainer http://www.freebsd.org/cgi/query-pr.cgi?pr=170302 ___ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
