Merge branch 'upstream'

[nfs-utils.git] / debian / patches / 21-anticipate-RLIMIT_FSIZE.patch

From: NeilBrown <neilb@suse.de>
Date: Mon, 23 May 2011 12:19:57 +0000 (-0400)
Subject: Remove risk of nfs_addmntent corrupting mtab
X-Git-Url: http://git.linux-nfs.org/?p=steved%2Fnfs-utils.git;a=commitdiff_plain;h=7a802337bfc92d0b30fe94dbd0fa231990a26161

Remove risk of nfs_addmntent corrupting mtab

nfs_addmntent is used to append directly to /etc/mtab.
If the write partially fail, e.g. due to RLIMIT_FSIZE,
truncate back to original size and return an error.

See also https://bugzilla.redhat.com/show_bug.cgi?id=697975
(CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE

Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
---

diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c
index a5216fc..a2118a2 100644
--- a/support/nfs/nfs_mntent.c
+++ b/support/nfs/nfs_mntent.c
@@ -12,6 +12,7 @@
 #include <string.h>            /* for index */
 #include <ctype.h>             /* for isdigit */
 #include <sys/stat.h>          /* for umask */
+#include <unistd.h>            /* for ftruncate */
 
 #include "nfs_mntent.h"
 #include "nls.h"
@@ -127,9 +128,11 @@ int
 nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
        char *m1, *m2, *m3, *m4;
        int res;
+       off_t length;
 
        if (fseek (mfp->mntent_fp, 0, SEEK_END))
                return 1;                       /* failure */
+       length = ftell(mfp->mntent_fp);
 
        m1 = mangle(mnt->mnt_fsname);
        m2 = mangle(mnt->mnt_dir);
@@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
        free(m2);
        free(m3);
        free(m4);
+       if (res >= 0) {
+               res = fflush(mfp->mntent_fp);
+               if (res < 0)
+                       /* Avoid leaving a corrupt mtab file */
+                       ftruncate(fileno(mfp->mntent_fp), length);
+       }
        return (res < 0) ? 1 : 0;
 }