Author: cperciva
Date: Thu May 27 03:15:04 2010
New Revision: 208586
URL: http://svn.freebsd.org/changeset/base/208586
Log:
Change the current working directory to be inside the jail created by
the jail(8) command. [10:04]
Fix a one-NUL-byte buffer overflow in libopie. [10:05]
Correctly sanity-check a buffer length in nfs mount. [10:06]
Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-10:04.jail
Security: FreeBSD-SA-10:05.opie
Security: FreeBSD-SA-10:06.nfsclient
Modified:
stable/7/contrib/opie/libopie/readrec.c
stable/7/lib/libc/sys/mount.2
stable/7/sys/nfsclient/nfs_vfsops.c
Changes in other areas also in this revision:
Modified:
head/contrib/opie/libopie/readrec.c
head/lib/libc/sys/mount.2
head/sys/nfsclient/nfs_vfsops.c
head/usr.sbin/jail/jail.c
releng/6.4/UPDATING
releng/6.4/contrib/opie/libopie/readrec.c
releng/6.4/sys/conf/newvers.sh
releng/7.1/UPDATING
releng/7.1/contrib/opie/libopie/readrec.c
releng/7.1/sys/conf/newvers.sh
releng/7.2/UPDATING
releng/7.2/contrib/opie/libopie/readrec.c
releng/7.2/lib/libc/sys/mount.2
releng/7.2/sys/conf/newvers.sh
releng/7.2/sys/nfsclient/nfs_vfsops.c
releng/7.3/UPDATING
releng/7.3/contrib/opie/libopie/readrec.c
releng/7.3/lib/libc/sys/mount.2
releng/7.3/sys/conf/newvers.sh
releng/7.3/sys/nfsclient/nfs_vfsops.c
releng/8.0/UPDATING
releng/8.0/contrib/opie/libopie/readrec.c
releng/8.0/lib/libc/sys/mount.2
releng/8.0/sys/conf/newvers.sh
releng/8.0/sys/nfsclient/nfs_vfsops.c
releng/8.0/usr.sbin/jail/jail.c
stable/6/contrib/opie/libopie/readrec.c
stable/8/contrib/opie/libopie/readrec.c
stable/8/lib/libc/sys/mount.2
stable/8/sys/nfsclient/nfs_vfsops.c
stable/8/usr.sbin/jail/jail.c
Modified: stable/7/contrib/opie/libopie/readrec.c
==============================================================================
--- stable/7/contrib/opie/libopie/readrec.c Thu May 27 01:27:25 2010
(r208585)
+++ stable/7/contrib/opie/libopie/readrec.c Thu May 27 03:15:04 2010
(r208586)
@@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struc
if (c = strchr(opie->opie_principal, ':'))
*c = 0;
- if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX)
- (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0;
- strcpy(principal, opie->opie_principal);
+ strlcpy(principal, opie->opie_principal, sizeof(principal));
do {
if ((opie->opie_recstart = ftell(f)) < 0)
Modified: stable/7/lib/libc/sys/mount.2
==============================================================================
--- stable/7/lib/libc/sys/mount.2 Thu May 27 01:27:25 2010
(r208585)
+++ stable/7/lib/libc/sys/mount.2 Thu May 27 03:15:04 2010
(r208586)
@@ -107,7 +107,7 @@ This restriction can be removed by setti
.Va vfs.usermount
.Xr sysctl 8
variable
-to a non-zero value.
+to a non-zero value; see the BUGS section for more information.
.Pp
The following
.Fa flags
@@ -370,3 +370,10 @@ functions appeared in
.At v6 .
.Sh BUGS
Some of the error codes need translation to more obvious messages.
+.Pp
+Allowing untrusted users to mount arbitrary media, e.g. by enabling
+.Va vfs.usermount ,
+should not be considered safe.
+Most file systems in
+.Fx
+were not built to safeguard against malicious devices.
Modified: stable/7/sys/nfsclient/nfs_vfsops.c
==============================================================================
--- stable/7/sys/nfsclient/nfs_vfsops.c Thu May 27 01:27:25 2010
(r208585)
+++ stable/7/sys/nfsclient/nfs_vfsops.c Thu May 27 03:15:04 2010
(r208586)
@@ -1002,6 +1002,11 @@ nfs_mount(struct mount *mp, struct threa
nfs_decode_args(mp, nmp, &args, NULL);
goto out;
}
+ if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) {
+ vfs_mount_error(mp, "Bad file handle");
+ error = EINVAL;
+ goto out;
+ }
/*
* Make the nfs_ip_paranoia sysctl serve as the default connection
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
