[PATCH] NFSv3 symlink bug

From: Andreas Schwab (schwab@suse.de)
Date: Tue Oct 02 2001 - 11:58:53 EST

Next message: Robert Olsson: "Re: [announce] [patch] limiting IRQ load, irq-rewrite-2.4.11-B5"
Previous message: Andrew Morton: "Re: Huge console switching lags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The NFSv3 server in the 2.4.10 kernel has a bug in the symlink
implementation. The target pathname of the symlink is not necessarily
zero terminated when passed to vfs_symlink. This does not happen with
NFSv2, because it explicitly zero terminates the string when decoding it
from XDR (xdr_decode_string does this), but NFSv3 uses
xdr_decode_string_inplace. As a result you may get a spurious
ENAMETOOLONG when trying to create a symbolic link on a NFSv3 mounted
filesystem (if the length of the target path is a multiple of four). If
you don't get an error the created symlink will have random characters
appended, which exposes kernel memory to user space (that's why it's a
security problem).

This patch changes the NFSv3 xdr function to use xdr_decode_string for the
symlink target, which seems to be the easiest solution. I also considered
adding an additional parameter to vfs_symlink to pass the length, but that
requires changes in each and every filesystem and changes the VFS API.
That could be a task for 2.5.x.

--- linux/fs/nfsd/nfs3xdr.c.~1~ Fri Sep 21 06:02:01 2001
+++ linux/fs/nfsd/nfs3xdr.c Tue Oct 2 16:12:27 2001
@@ -99,7 +99,11 @@
         char *name;
         int i;

- if ((p = xdr_decode_string_inplace(p, namp, lenp, NFS3_MAXPATHLEN)) != NULL) {
+ /*
+ * Cannot use xdr_decode_string_inplace here, the name must be
+ * zero terminated for vfs_symlink.
+ */
+ if ((p = xdr_decode_string(p, namp, lenp, NFS3_MAXPATHLEN)) != NULL) {
                 for (i = 0, name = *namp; i < *lenp; i++, name++) {
                         if (*name == '\0')
                                 return NULL;

Andreas.

-- 
Andreas Schwab                                  "And now for something
Andreas.Schwab@suse.de				completely different."
SuSE Labs, SuSE GmbH, Schanzäckerstr. 10, D-90443 Nürnberg
Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Next message: Robert Olsson: "Re: [announce] [patch] limiting IRQ load, irq-rewrite-2.4.11-B5"
Previous message: Andrew Morton: "Re: Huge console switching lags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Oct 07 2001 - 21:00:22 EST