From owner-freebsd-bugs  Thu Apr 24 17:00:04 1997
Return-Path: <owner-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id RAA10676
          for bugs-outgoing; Thu, 24 Apr 1997 17:00:04 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id RAA10655;
          Thu, 24 Apr 1997 17:00:02 -0700 (PDT)
Resent-Date: Thu, 24 Apr 1997 17:00:02 -0700 (PDT)
Resent-Message-Id: <199704250000.RAA10655@hub.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, mike@marker.cs.utah.edu
Received: from marker.cs.utah.edu (marker.cs.utah.edu [155.99.212.61])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA10186
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 24 Apr 1997 16:50:36 -0700 (PDT)
Received: (from mike@localhost) by marker.cs.utah.edu (8.8.5/8.7.3) id RAA22720; Thu, 24 Apr 1997 17:50:32 -0600 (MDT)
Message-Id: <199704242350.RAA22720@marker.cs.utah.edu>
Date: Thu, 24 Apr 1997 17:50:32 -0600 (MDT)
From: Mike Hibler <mike@marker.cs.utah.edu>
Reply-To: mike@marker.cs.utah.edu
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/3380: kernel bug: typo in mount export list processing
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         3380
>Category:       kern
>Synopsis:       typo in mount export list processing
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 24 17:00:01 PDT 1997
>Last-Modified:
>Originator:     Mike Hibler
>Organization:
U.of U.
>Release:        FreeBSD 2.1.7-RELEASE i386
>Environment:

	All current versions of {open,net,free}bsd

>Description:

	There is a typo in mount's export list processing that results in FSes
	being exported to more networks than intended (though unlikely, it
	could be exploited via NFS, hence the "serious" and "high" rating.

	In kern/vfs_subr() in vfs_hang_addrlist:

	if (argp->ex_masklen) {
		smask = (struct sockaddr *) ((caddr_t) saddr + argp->ex_addrlen);
		error = copyin(argp->ex_addr, (caddr_t) smask, argp->ex_masklen);
		if (error)
			goto out;
		if (smask->sa_len > argp->ex_masklen)
		smask->sa_len = argp->ex_masklen;
	}

	copyin is using argp->ex_addr instead of argp->ex_mask as the address
	of the mask.

>How-To-Repeat:

	N/A

>Fix:
	
	Change ex_addr to ex_mask in the copyin.
>Audit-Trail:
>Unformatted: