Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Feb 2017 06:36:16 +0000 (UTC)
From:      Konstantin Belousov <kib@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r313800 - head/sys/fs/nfsclient
Message-ID:  <201702160636.v1G6aGqY066846@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: kib
Date: Thu Feb 16 06:36:16 2017
New Revision: 313800
URL: https://svnweb.freebsd.org/changeset/base/313800

Log:
  Do not access memory past the buffer end.
  Do not accept and silently truncate too long hostname.
  
  Reported and tested by:	pho
  Sponsored by:	The FreeBSD Foundation
  MFC after:	1 week

Modified:
  head/sys/fs/nfsclient/nfs_clvfsops.c

Modified: head/sys/fs/nfsclient/nfs_clvfsops.c
==============================================================================
--- head/sys/fs/nfsclient/nfs_clvfsops.c	Thu Feb 16 06:34:20 2017	(r313799)
+++ head/sys/fs/nfsclient/nfs_clvfsops.c	Thu Feb 16 06:36:16 2017	(r313800)
@@ -1270,8 +1270,13 @@ nfs_mount(struct mount *mp)
 			error = EINVAL;
 			goto out;
 		}
-		bcopy(args.hostname, hst, MNAMELEN);
-		hst[MNAMELEN - 1] = '\0';
+		if (len >= MNAMELEN) {
+			vfs_mount_error(mp, "Hostname too long");
+			error = EINVAL;
+			goto out;
+		}
+		bcopy(args.hostname, hst, len);
+		hst[len] = '\0';
 	}
 
 	if (vfs_getopt(mp->mnt_optnew, "principal", (void **)&name, NULL) == 0)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702160636.v1G6aGqY066846>