Re: rpc.mountd crashes when extensively using netgroups

Stefan Walter wrote:

We do this on a much larger scale though. The bug we ran into is
in line 96 in utils/mountd/auth.c. The strcpy can corrupt
memory when it copies the string returned by client_compose() to

my_client.m_hostname which has a fixed size of 1024 bytes. For our example above, client_compose() returns "@joe,@jane"

for any machine in the offices_1 netgroup. Unfortunately we have
a machine to which roughly 150 netgroups like @joe or @jane
export to and client_compose() returns a string over 1300 bytes
long and rpc.mountd nicely segfaults.

To prevent the crash is of course trivial: Inserting a simple

'if (strlen(n) > 1024) return NULL;' before line 96 does the job.

Does the attached patch help?

There are however two issues for which we could not find an easy
solution:

 1. For every client rpc.mountd and the kernel seem to exchange
    and use lists with _all_ netgroups used in exports that are
    relevant for granting permission to some share for a particular
    client. We could imagine two optimizations here:

       * Resolve netgroups and only put the (member) netgroups that
         contained the host name that would be used to authorize
         a mount in the list.

       * Use the list of mounted paths per client and only put the
         netgroup(s) used to export paths that are actually mounted

on a client.

These sound reasonable...

2. Using a fixed size for NFSCLNT_IDMAX does not scale. Mounting

    shares on a client for which the 'if' clause of the quick fix
    becomes true will not be possible. We thought about enlarging

NFSCLNT_IDMAX and using a custom kernel but dropped the idea.

True...

Our ultimate goal is to get Red Hat fix the code in nfs-utils 1.0.6
that is used in RHEL4. A first step would be to get a suitable fix in

the current nfs-utils.

Please open up bugs on all three of these issues and
we'll see what can done...

steved.

commit 851ce1cb766cf295db85900aab804c0f82c12ab3
Author: Steve Dickson <[email protected]>
Date:   Tue Jul 31 09:57:19 2007 -0400

    Stop rpc.mound from crashing by m_hostname becoming
    corrupted with very long host names.
    
    Signed-off-by: Steve Dickson <[email protected]>

diff --git a/utils/mountd/auth.c b/utils/mountd/auth.c
index f7fe23d..eff0ba7 100644
--- a/utils/mountd/auth.c
+++ b/utils/mountd/auth.c
@@ -93,7 +93,8 @@ auth_authenticate_internal(char *what, struct sockaddr_in *caller,
 		*error = unknown_host;
 		if (!n)
 			return NULL;
-		strcpy(my_client.m_hostname, *n?n:"DEFAULT");
+		snprintf(my_client.m_hostname, (NFSCLNT_IDMAX+1), 
+			"%s", *n?n:"DEFAULT");
 		free(n);
 		my_client.m_naddr = 1;
 		my_exp.m_client = &my_client;

---

• Follow-Ups:
  • Re: rpc.mountd crashes when extensively using netgroups
    • From: Stefan Walter <[email protected]>

• References:
  • rpc.mountd crashes when extensively using netgroups
    • From: Stefan Walter <[email protected]>

• Prev by Date: ATA over ethernet swapping and obfuscated code
• Next by Date: Re: [rft] Kill junk from s2ram resume paths
• Previous by thread: rpc.mountd crashes when extensively using netgroups
• Next by thread: Re: rpc.mountd crashes when extensively using netgroups
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]