From owner-freebsd-bugs@FreeBSD.ORG  Wed Jan 21 01:40:23 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0242816A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 21 Jan 2004 01:40:23 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 99BC443D4C
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 21 Jan 2004 01:40:18 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i0L9eIFR062674	for <freebsd-bugs@freefall.freebsd.org>;
	Wed, 21 Jan 2004 01:40:18 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0L9eIjc062673;
	Wed, 21 Jan 2004 01:40:18 -0800 (PST)
	(envelope-from gnats)
Resent-Date: Wed, 21 Jan 2004 01:40:18 -0800 (PST)
Resent-Message-Id: <200401210940.i0L9eIjc062673@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Frank Denis -Jedi/Sector One- <j@pureftpd.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D669B16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 21 Jan 2004 01:36:38 -0800 (PST)
Received: from static1.orbus.fr (dax.orbus.fr [212.129.63.67])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 23E5343D41
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 21 Jan 2004 01:36:37 -0800 (PST)
	(envelope-from j@static1.orbus.fr)
Received: from static1.orbus.fr (localhost.orbus.fr [127.0.0.1])
	by static1.orbus.fr (8.12.10/8.12.10) with ESMTP id i0L9aXPH062411
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 21 Jan 2004 10:36:33 +0100 (CET)
	(envelope-from j@static1.orbus.fr)
Received: (from root@localhost)
	by static1.orbus.fr (8.12.10/8.12.10/Submit) id i0L9aWrP062410;
	Wed, 21 Jan 2004 10:36:32 +0100 (CET)
	(envelope-from j)
Message-Id: <200401210936.i0L9aWrP062410@static1.orbus.fr>
Date: Wed, 21 Jan 2004 10:36:32 +0100 (CET)
From: Frank Denis -Jedi/Sector One- <j@pureftpd.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: bin/61666: mount_nfs parsing bug, segmentation fault
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Frank Denis -Jedi/Sector One- <j@pureftpd.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jan 2004 09:40:23 -0000


>Number:         61666
>Category:       bin
>Synopsis:       mount_nfs parsing bug, segmentation fault
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 21 01:40:16 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Frank DENIS -Jedi/Sector One-
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
42 Networks
>Environment:
System: FreeBSD static1.orbus.fr 4.9-STABLE FreeBSD 4.9-STABLE #0: Sat Nov 1 14:25:14 CET 2003 root@dax.orbus.fr:/usr/obj/usr/src/sys/J i386
>Description:

There's a problem with the way mount_nfs(8) parses
acregmin/acregmax/acdirmin and acdirmax.

Look at the code :

                        if (altflags & ALTF_ACREGMIN) {
                                nfsargsp->flags |= NFSMNT_ACREGMIN;
                                nfsargsp->acregmin =
                                    atoi(strstr(optarg, "acregmin=") + 9);
                        }
                        if (altflags & ALTF_ACREGMAX) {
                                nfsargsp->flags |= NFSMNT_ACREGMAX;
                                nfsargsp->acregmax =
                                    atoi(strstr(optarg, "acregmax=") + 9);
                        }


For instance if we use both acregmin and acregmax :

- on the first round, the ALTF_ACREGMIN will be set, everything's allright.

- on the next round (when optarg willl be "acregmax=xxx"), the first
statement will also get evaluated because ALTF_ACREGMIN has been set.
But strstr(optarg, "acregmin=") will be NULL. Dereferencing NULL + 9 produces
an obvious segmentation fault.

>How-To-Repeat:

Try for instance to mount a filesystem with acregmin=2,acregmax=2.
A segmentation fault occurs even when the command has not been started by
root.

>Fix:

-

>Release-Note:
>Audit-Trail:
>Unformatted: