From 7a802337bfc92d0b30fe94dbd0fa231990a26161 Mon Sep 17 00:00:00 2001 From: NeilBrown Date: Mon, 23 May 2011 08:19:57 -0400 Subject: [PATCH] Remove risk of nfs_addmntent corrupting mtab nfs_addmntent is used to append directly to /etc/mtab. If the write partially fail, e.g. due to RLIMIT_FSIZE, truncate back to original size and return an error. See also https://bugzilla.redhat.com/show_bug.cgi?id=697975 (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE Signed-off-by: NeilBrown Signed-off-by: Steve Dickson --- support/nfs/nfs_mntent.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c index a5216fc..a2118a2 100644 --- a/support/nfs/nfs_mntent.c +++ b/support/nfs/nfs_mntent.c @@ -12,6 +12,7 @@ #include /* for index */ #include /* for isdigit */ #include /* for umask */ +#include /* for ftruncate */ #include "nfs_mntent.h" #include "nls.h" @@ -127,9 +128,11 @@ int nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { char *m1, *m2, *m3, *m4; int res; + off_t length; if (fseek (mfp->mntent_fp, 0, SEEK_END)) return 1; /* failure */ + length = ftell(mfp->mntent_fp); m1 = mangle(mnt->mnt_fsname); m2 = mangle(mnt->mnt_dir); @@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { free(m2); free(m3); free(m4); + if (res >= 0) { + res = fflush(mfp->mntent_fp); + if (res < 0) + /* Avoid leaving a corrupt mtab file */ + ftruncate(fileno(mfp->mntent_fp), length); + } return (res < 0) ? 1 : 0; } -- 2.39.5