Date: Thu, 16 Feb 2017 06:36:16 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r313800 - head/sys/fs/nfsclient Message-ID: <201702160636.v1G6aGqY066846@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Thu Feb 16 06:36:16 2017 New Revision: 313800 URL: https://svnweb.freebsd.org/changeset/base/313800 Log: Do not access memory past the buffer end. Do not accept and silently truncate too long hostname. Reported and tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 1 week Modified: head/sys/fs/nfsclient/nfs_clvfsops.c Modified: head/sys/fs/nfsclient/nfs_clvfsops.c ============================================================================== --- head/sys/fs/nfsclient/nfs_clvfsops.c Thu Feb 16 06:34:20 2017 (r313799) +++ head/sys/fs/nfsclient/nfs_clvfsops.c Thu Feb 16 06:36:16 2017 (r313800) @@ -1270,8 +1270,13 @@ nfs_mount(struct mount *mp) error = EINVAL; goto out; } - bcopy(args.hostname, hst, MNAMELEN); - hst[MNAMELEN - 1] = '\0'; + if (len >= MNAMELEN) { + vfs_mount_error(mp, "Hostname too long"); + error = EINVAL; + goto out; + } + bcopy(args.hostname, hst, len); + hst[len] = '\0'; } if (vfs_getopt(mp->mnt_optnew, "principal", (void **)&name, NULL) == 0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702160636.v1G6aGqY066846>