diff options
author | NeilBrown <neilb@suse.de> | 2011-05-23 08:19:57 -0400 |
---|---|---|
committer | Steve Dickson <steved@redhat.com> | 2011-05-23 08:25:00 -0400 |
commit | 7a802337bfc92d0b30fe94dbd0fa231990a26161 (patch) | |
tree | 0c03426f83fbe838991549dffb2d7d3a4fabc820 /support | |
parent | 56f537535190d034039570bafd9a0de71b79b8f1 (diff) | |
download | nfs-utils-7a802337bfc92d0b30fe94dbd0fa231990a26161.tar.gz nfs-utils-7a802337bfc92d0b30fe94dbd0fa231990a26161.tar.xz nfs-utils-7a802337bfc92d0b30fe94dbd0fa231990a26161.zip |
Remove risk of nfs_addmntent corrupting mtab
nfs_addmntent is used to append directly to /etc/mtab.
If the write partially fail, e.g. due to RLIMIT_FSIZE,
truncate back to original size and return an error.
See also https://bugzilla.redhat.com/show_bug.cgi?id=697975
(CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'support')
-rw-r--r-- | support/nfs/nfs_mntent.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/support/nfs/nfs_mntent.c b/support/nfs/nfs_mntent.c index a5216fc..a2118a2 100644 --- a/support/nfs/nfs_mntent.c +++ b/support/nfs/nfs_mntent.c @@ -12,6 +12,7 @@ #include <string.h> /* for index */ #include <ctype.h> /* for isdigit */ #include <sys/stat.h> /* for umask */ +#include <unistd.h> /* for ftruncate */ #include "nfs_mntent.h" #include "nls.h" @@ -127,9 +128,11 @@ int nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { char *m1, *m2, *m3, *m4; int res; + off_t length; if (fseek (mfp->mntent_fp, 0, SEEK_END)) return 1; /* failure */ + length = ftell(mfp->mntent_fp); m1 = mangle(mnt->mnt_fsname); m2 = mangle(mnt->mnt_dir); @@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mntent *mnt) { free(m2); free(m3); free(m4); + if (res >= 0) { + res = fflush(mfp->mntent_fp); + if (res < 0) + /* Avoid leaving a corrupt mtab file */ + ftruncate(fileno(mfp->mntent_fp), length); + } return (res < 0) ? 1 : 0; } |