diff options
| author | Colin Percival <cperciva@FreeBSD.org> | 2010-05-27 03:15:04 +0000 |
|---|---|---|
| committer | Colin Percival <cperciva@FreeBSD.org> | 2010-05-27 03:15:04 +0000 |
| commit | 5a4327739c52195c780993710fce9dc10fe7c9b6 (patch) | |
| tree | 1f3e883655f9a5cd377b29684367adba275b4b56 | |
| parent | 8d0c6fc2265889343804561a37998b02971e6b18 (diff) | |
Change the current working directory to be inside the jail created byreleng/7.2
the jail(8) command. [10:04]
Fix a one-NUL-byte buffer overflow in libopie. [10:05]
Correctly sanity-check a buffer length in nfs mount. [10:06]
Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-10:04.jail
Security: FreeBSD-SA-10:05.opie
Security: FreeBSD-SA-10:06.nfsclient
Notes
Notes:
svn path=/releng/7.2/; revision=208586
| -rw-r--r-- | UPDATING | 5 | ||||
| -rw-r--r-- | contrib/opie/libopie/readrec.c | 4 | ||||
| -rw-r--r-- | lib/libc/sys/mount.2 | 9 | ||||
| -rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
| -rw-r--r-- | sys/nfsclient/nfs_vfsops.c | 5 |
5 files changed, 20 insertions, 5 deletions
@@ -8,6 +8,11 @@ Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20100526: p8 FreeBSD-SA-10:05.opie, FreeBSD-SA-10:06.nfsclient + Fix a one-NUL-byte buffer overflow in libopie. [10:05] + + Correctly sanity-check a buffer length in nfs mount. [10:06] + 20100227: p7 FreeBSD-EN-10:02.sched_ule Fix a deadlock in the ULE scheduler. diff --git a/contrib/opie/libopie/readrec.c b/contrib/opie/libopie/readrec.c index f56af7ffb73d..4f204b927eeb 100644 --- a/contrib/opie/libopie/readrec.c +++ b/contrib/opie/libopie/readrec.c @@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struct opie *opie) if (c = strchr(opie->opie_principal, ':')) *c = 0; - if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX) - (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0; - strcpy(principal, opie->opie_principal); + strlcpy(principal, opie->opie_principal, sizeof(principal)); do { if ((opie->opie_recstart = ftell(f)) < 0) diff --git a/lib/libc/sys/mount.2 b/lib/libc/sys/mount.2 index 6ce2d4d2fa74..3d48f4110fce 100644 --- a/lib/libc/sys/mount.2 +++ b/lib/libc/sys/mount.2 @@ -107,7 +107,7 @@ This restriction can be removed by setting the .Va vfs.usermount .Xr sysctl 8 variable -to a non-zero value. +to a non-zero value; see the BUGS section for more information. .Pp The following .Fa flags @@ -370,3 +370,10 @@ functions appeared in .At v6 . .Sh BUGS Some of the error codes need translation to more obvious messages. +.Pp +Allowing untrusted users to mount arbitrary media, e.g. by enabling +.Va vfs.usermount , +should not be considered safe. +Most file systems in +.Fx +were not built to safeguard against malicious devices. diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 80aa476f0842..9278c5b06a75 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.2" -BRANCH="RELEASE-p7" +BRANCH="RELEASE-p8" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/nfsclient/nfs_vfsops.c b/sys/nfsclient/nfs_vfsops.c index a963083fd4ab..378c0250d9f1 100644 --- a/sys/nfsclient/nfs_vfsops.c +++ b/sys/nfsclient/nfs_vfsops.c @@ -1002,6 +1002,11 @@ nfs_mount(struct mount *mp, struct thread *td) nfs_decode_args(mp, nmp, &args, NULL); goto out; } + if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) { + vfs_mount_error(mp, "Bad file handle"); + error = EINVAL; + goto out; + } /* * Make the nfs_ip_paranoia sysctl serve as the default connection |