From mike@marker.cs.utah.edu Thu Apr 24 16:50:37 1997 Received: from marker.cs.utah.edu (marker.cs.utah.edu [155.99.212.61]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA10186 for ; Thu, 24 Apr 1997 16:50:36 -0700 (PDT) Received: (from mike@localhost) by marker.cs.utah.edu (8.8.5/8.7.3) id RAA22720; Thu, 24 Apr 1997 17:50:32 -0600 (MDT) Message-Id: <199704242350.RAA22720@marker.cs.utah.edu> Date: Thu, 24 Apr 1997 17:50:32 -0600 (MDT) From: Mike Hibler Reply-To: mike@marker.cs.utah.edu To: FreeBSD-gnats-submit@freebsd.org Subject: kernel bug: typo in mount export list processing X-Send-Pr-Version: 3.2 >Number: 3380 >Category: kern >Synopsis: typo in mount export list processing >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Apr 24 17:00:01 PDT 1997 >Closed-Date: Thu Apr 24 23:50:53 PDT 1997 >Last-Modified: Thu Apr 24 23:54:18 PDT 1997 >Originator: Mike Hibler >Release: FreeBSD 2.1.7-RELEASE i386 >Organization: U.of U. >Environment: All current versions of {open,net,free}bsd >Description: There is a typo in mount's export list processing that results in FSes being exported to more networks than intended (though unlikely, it could be exploited via NFS, hence the "serious" and "high" rating. In kern/vfs_subr() in vfs_hang_addrlist: if (argp->ex_masklen) { smask = (struct sockaddr *) ((caddr_t) saddr + argp->ex_addrlen); error = copyin(argp->ex_addr, (caddr_t) smask, argp->ex_masklen); if (error) goto out; if (smask->sa_len > argp->ex_masklen) smask->sa_len = argp->ex_masklen; } copyin is using argp->ex_addr instead of argp->ex_mask as the address of the mask. >How-To-Repeat: N/A >Fix: Change ex_addr to ex_mask in the copyin. >Release-Note: >Audit-Trail: State-Changed-From-To: open->closed State-Changed-By: peter State-Changed-When: Thu Apr 24 23:50:53 PDT 1997 State-Changed-Why: Suggested fix applied, Thanks! sys_kern.c, rev 1.83 (current), 1.64.2.4 (2.2), 1.30.4.4 (2.1) >Unformatted: