From: NeilBrown Date: Mon, 23 May 2011 12:19:57 +0000 (-0400) Subject: Remove risk of nfs_addmntent corrupting mtab X-Git-Tag: nfs-utils-1-2-4-rc9~11 X-Git-Url: https://git.decadent.org.uk/gitweb/?a=commitdiff_plain;h=7a802337bfc92d0b30fe94dbd0fa231990a26161;p=nfs-utils.git Remove risk of nfs_addmntent corrupting mtab nfs_addmntent is used to append directly to /etc/mtab. If the write partially fail, e.g. due to RLIMIT_FSIZE, truncate back to original size and return an error. See also https://bugzilla.redhat.com/show_bug.cgi?id=697975 (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE Signed-off-by: NeilBrown Signed-off-by: Steve Dickson --- diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c index a5216fc..a2118a2 100644 --- a/support/nfs/nfs_mntent.c +++ b/support/nfs/nfs_mntent.c @@ -12,6 +12,7 @@ #include /* for index */ #include /* for isdigit */ #include /* for umask */ +#include /* for ftruncate */ #include "nfs_mntent.h" #include "nls.h" @@ -127,9 +128,11 @@ int nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { char *m1, *m2, *m3, *m4; int res; + off_t length; if (fseek (mfp->mntent_fp, 0, SEEK_END)) return 1; /* failure */ + length = ftell(mfp->mntent_fp); m1 = mangle(mnt->mnt_fsname); m2 = mangle(mnt->mnt_dir); @@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { free(m2); free(m3); free(m4); + if (res >= 0) { + res = fflush(mfp->mntent_fp); + if (res < 0) + /* Avoid leaving a corrupt mtab file */ + ftruncate(fileno(mfp->mntent_fp), length); + } return (res < 0) ? 1 : 0; }