Date: Thu, 24 Apr 1997 17:50:32 -0600 (MDT) From: Mike Hibler <mike@marker.cs.utah.edu> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/3380: kernel bug: typo in mount export list processing Message-ID: <199704242350.RAA22720@marker.cs.utah.edu> Resent-Message-ID: <199704250000.RAA10655@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 3380
>Category: kern
>Synopsis: typo in mount export list processing
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Apr 24 17:00:01 PDT 1997
>Last-Modified:
>Originator: Mike Hibler
>Organization:
U.of U.
>Release: FreeBSD 2.1.7-RELEASE i386
>Environment:
All current versions of {open,net,free}bsd
>Description:
There is a typo in mount's export list processing that results in FSes
being exported to more networks than intended (though unlikely, it
could be exploited via NFS, hence the "serious" and "high" rating.
In kern/vfs_subr() in vfs_hang_addrlist:
if (argp->ex_masklen) {
smask = (struct sockaddr *) ((caddr_t) saddr + argp->ex_addrlen);
error = copyin(argp->ex_addr, (caddr_t) smask, argp->ex_masklen);
if (error)
goto out;
if (smask->sa_len > argp->ex_masklen)
smask->sa_len = argp->ex_masklen;
}
copyin is using argp->ex_addr instead of argp->ex_mask as the address
of the mask.
>How-To-Repeat:
N/A
>Fix:
Change ex_addr to ex_mask in the copyin.
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704242350.RAA22720>