Debian Bug report logs - #549002
linux-image-2.6.26-2-xen-amd64: Kernel Oops - autofs5 nfs4 mount

version graph

Package: linux-image-2.6.26-2-xen-amd64; Maintainer for linux-image-2.6.26-2-xen-amd64 is (unknown);

Reported by: Christian Salzmann <[email protected]>

Date: Wed, 30 Sep 2009 09:39:03 UTC

Severity: important

Tags: patch, upstream

Found in version linux-2.6/2.6.26-19

Fixed in versions linux-2.6/2.6.31-1~experimental.2, linux-2.6/2.6.26-20

Done: dann frazier <[email protected]>

Bug is archived. No further changes may be made.

Full log

🔗 View this message in rfc822 format

X-Loop: [email protected]
Subject: Bug#549002: [PATCH] nfs: Avoid overrun when copying client IP address string
Reply-To: Ben Hutchings <[email protected]>, [email protected]
Resent-From: Ben Hutchings <[email protected]>
Resent-To: [email protected]
Resent-CC: Debian Kernel Team <[email protected]>
X-Loop: [email protected]
Resent-Date: Sun, 04 Oct 2009 13:27:04 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Debian-PR-Message: followup 549002
X-Debian-PR-Package: linux-image-2.6.26-2-xen-amd64
X-Debian-PR-Keywords: upstream patch
X-Debian-PR-Source: linux-2.6
Received: via spool by [email protected] id=B549002.125466276027491
          (code B ref 549002); Sun, 04 Oct 2009 13:27:04 +0000
Received: (at 549002) by bugs.debian.org; 4 Oct 2009 13:26:00 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
	(2007-08-08) on rietz.debian.org
X-Spam-Level: 
X-Spam-Bayes: score:0.0000 Tokens: new, 37; hammy, 107; neutral, 39; spammy,
	1. spammytokens:0.895-+--site hammytokens:0.000-+--H*r:sk:RSA_AES,
	0.000-+--H*UA:2.28.0, 0.000-+--H*x:2.28.0, 0.000-+--HX-SA-Exim-Version:Wed,
	0.000-+--HX-SA-Exim-Version:2008
X-Spam-Status: No, score=-3.6 required=4.0 tests=AWL,BAYES_00,IMPRONONCABLE_1,
	IMPRONONCABLE_2,MURPHY_DRUGS_REL8,MURPHY_WRONG_WORD2 autolearn=no
	version=3.2.3-bugs.debian.org_2005_01_02
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126])
	by rietz.debian.org with esmtp (Exim 4.63)
	(envelope-from <[email protected]>)
	id 1MuR68-000793-JJ
	for [email protected]; Sun, 04 Oct 2009 13:26:00 +0000
Received: from deadeye.i.decadent.org.uk ([192.168.4.185] helo=localhost)
	by shadbolt.decadent.org.uk with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.69)
	(envelope-from <[email protected]>)
	id 1MuR5z-0003VY-Fi; Sun, 04 Oct 2009 14:25:54 +0100
Received: from womble by localhost with local (Exim 4.69)
	(envelope-from <[email protected]>)
	id 1MuR5y-00017h-Cm; Sun, 04 Oct 2009 14:25:50 +0100
From: Ben Hutchings <[email protected]>
To: Trond Myklebust <[email protected]>
Cc: [email protected], [email protected]
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 04 Oct 2009 14:25:49 +0100
Message-Id: <1254662749.2395.68.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.0 
X-SA-Exim-Connect-IP: 192.168.4.185
X-SA-Exim-Mail-From: [email protected]
X-SA-Exim-Version: 4.2.1 (built Wed, 25 Jun 2008 17:14:11 +0000)
X-SA-Exim-Scanned: Yes (on shadbolt.decadent.org.uk)

As seen in <http://bugs.debian.org/549002>, nfs4_init_client() can
overrun the source string when copying the client IP address from
nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr.  Since
these are both treated as null-terminated strings elsewhere, the copy
should be done with strlcpy() not memcpy().

Signed-off-by: Ben Hutchings <[email protected]>
---
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 75c9cd2..f525a2f 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -1073,7 +1073,7 @@ static int nfs4_init_client(struct nfs_client *clp,
 				      1, flags & NFS_MOUNT_NORESVPORT);
 	if (error < 0)
 		goto error;
-	memcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
+	strlcpy(clp->cl_ipaddr, ip_addr, sizeof(clp->cl_ipaddr));
 
 	error = nfs_idmap_new(clp);
 	if (error < 0) {

-- 
Ben Hutchings
I say we take off; nuke the site from orbit.  It's the only way to be sure.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Sat May 10 03:07:43 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.