aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2010-05-27 03:15:04 +0000
committerColin Percival <cperciva@FreeBSD.org>2010-05-27 03:15:04 +0000
commit5a4327739c52195c780993710fce9dc10fe7c9b6 (patch)
tree1f3e883655f9a5cd377b29684367adba275b4b56
parent8d0c6fc2265889343804561a37998b02971e6b18 (diff)
downloadsrc-releng/7.2.tar.gz
src-releng/7.2.zip
Change the current working directory to be inside the jail created byreleng/7.2
the jail(8) command. [10:04] Fix a one-NUL-byte buffer overflow in libopie. [10:05] Correctly sanity-check a buffer length in nfs mount. [10:06] Approved by: so (cperciva) Approved by: re (kensmith) Security: FreeBSD-SA-10:04.jail Security: FreeBSD-SA-10:05.opie Security: FreeBSD-SA-10:06.nfsclient
Notes
Notes: svn path=/releng/7.2/; revision=208586
-rw-r--r--UPDATING5
-rw-r--r--contrib/opie/libopie/readrec.c4
-rw-r--r--lib/libc/sys/mount.29
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/nfsclient/nfs_vfsops.c5
5 files changed, 20 insertions, 5 deletions
diff --git a/UPDATING b/UPDATING
index f6e94bf83b26..66aba7d1ad8f 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,11 @@ Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20100526: p8 FreeBSD-SA-10:05.opie, FreeBSD-SA-10:06.nfsclient
+ Fix a one-NUL-byte buffer overflow in libopie. [10:05]
+
+ Correctly sanity-check a buffer length in nfs mount. [10:06]
+
20100227: p7 FreeBSD-EN-10:02.sched_ule
Fix a deadlock in the ULE scheduler.
diff --git a/contrib/opie/libopie/readrec.c b/contrib/opie/libopie/readrec.c
index f56af7ffb73d..4f204b927eeb 100644
--- a/contrib/opie/libopie/readrec.c
+++ b/contrib/opie/libopie/readrec.c
@@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struct opie *opie)
if (c = strchr(opie->opie_principal, ':'))
*c = 0;
- if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX)
- (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0;
- strcpy(principal, opie->opie_principal);
+ strlcpy(principal, opie->opie_principal, sizeof(principal));
do {
if ((opie->opie_recstart = ftell(f)) < 0)
diff --git a/lib/libc/sys/mount.2 b/lib/libc/sys/mount.2
index 6ce2d4d2fa74..3d48f4110fce 100644
--- a/lib/libc/sys/mount.2
+++ b/lib/libc/sys/mount.2
@@ -107,7 +107,7 @@ This restriction can be removed by setting the
.Va vfs.usermount
.Xr sysctl 8
variable
-to a non-zero value.
+to a non-zero value; see the BUGS section for more information.
.Pp
The following
.Fa flags
@@ -370,3 +370,10 @@ functions appeared in
.At v6 .
.Sh BUGS
Some of the error codes need translation to more obvious messages.
+.Pp
+Allowing untrusted users to mount arbitrary media, e.g. by enabling
+.Va vfs.usermount ,
+should not be considered safe.
+Most file systems in
+.Fx
+were not built to safeguard against malicious devices.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 80aa476f0842..9278c5b06a75 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.2"
-BRANCH="RELEASE-p7"
+BRANCH="RELEASE-p8"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/nfsclient/nfs_vfsops.c b/sys/nfsclient/nfs_vfsops.c
index a963083fd4ab..378c0250d9f1 100644
--- a/sys/nfsclient/nfs_vfsops.c
+++ b/sys/nfsclient/nfs_vfsops.c
@@ -1002,6 +1002,11 @@ nfs_mount(struct mount *mp, struct thread *td)
nfs_decode_args(mp, nmp, &args, NULL);
goto out;
}
+ if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) {
+ vfs_mount_error(mp, "Bad file handle");
+ error = EINVAL;
+ goto out;
+ }
/*
* Make the nfs_ip_paranoia sysctl serve as the default connection