+++ /dev/null
-From: NeilBrown <neilb@suse.de>
-Date: Mon, 23 May 2011 12:19:57 +0000 (-0400)
-Subject: Remove risk of nfs_addmntent corrupting mtab
-X-Git-Url: http://git.linux-nfs.org/?p=steved%2Fnfs-utils.git;a=commitdiff_plain;h=7a802337bfc92d0b30fe94dbd0fa231990a26161
-
-Remove risk of nfs_addmntent corrupting mtab
-
-nfs_addmntent is used to append directly to /etc/mtab.
-If the write partially fail, e.g. due to RLIMIT_FSIZE,
-truncate back to original size and return an error.
-
-See also https://bugzilla.redhat.com/show_bug.cgi?id=697975
-(CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE
-
-Signed-off-by: NeilBrown <neilb@suse.de>
-Signed-off-by: Steve Dickson <steved@redhat.com>
----
-
-diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c
-index a5216fc..a2118a2 100644
---- a/support/nfs/nfs_mntent.c
-+++ b/support/nfs/nfs_mntent.c
-@@ -12,6 +12,7 @@
- #include <string.h> /* for index */
- #include <ctype.h> /* for isdigit */
- #include <sys/stat.h> /* for umask */
-+#include <unistd.h> /* for ftruncate */
-
- #include "nfs_mntent.h"
- #include "nls.h"
-@@ -127,9 +128,11 @@ int
- nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
- char *m1, *m2, *m3, *m4;
- int res;
-+ off_t length;
-
- if (fseek (mfp->mntent_fp, 0, SEEK_END))
- return 1; /* failure */
-+ length = ftell(mfp->mntent_fp);
-
- m1 = mangle(mnt->mnt_fsname);
- m2 = mangle(mnt->mnt_dir);
-@@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
- free(m2);
- free(m3);
- free(m4);
-+ if (res >= 0) {
-+ res = fflush(mfp->mntent_fp);
-+ if (res < 0)
-+ /* Avoid leaving a corrupt mtab file */
-+ ftruncate(fileno(mfp->mntent_fp), length);
-+ }
- return (res < 0) ? 1 : 0;
- }
-
projects / nfs-utils.git / blobdiff