diff options
author | NeilBrown <neilb@suse.de> | 2012-05-01 15:26:54 -0400 |
---|---|---|
committer | Steve Dickson <steved@redhat.com> | 2012-05-01 15:30:00 -0400 |
commit | 4bcb8664cf44176a99fc2c4b92e7f28ee705a7d9 (patch) | |
tree | 0edeabf66321529595febd3abebfc1d0e08e4835 | |
parent | 8b50f9647aa4fd404e4cb70459c683eddc37f215 (diff) | |
download | nfs-utils-4bcb8664cf44176a99fc2c4b92e7f28ee705a7d9.tar.gz nfs-utils-4bcb8664cf44176a99fc2c4b92e7f28ee705a7d9.tar.xz nfs-utils-4bcb8664cf44176a99fc2c4b92e7f28ee705a7d9.zip |
v4_root_add_parents: remove a possible buffer overflow.
The loop in v4root_add_parents() is a little odd.
The first time through, 'ptr' points immediately "beyond"
a '/' character (the first). For every other iterration it points
directly "at" a '/' character.
Such inconsistency is error prone and infact there is an error.
If "path" is precisely "/", then the first call to
ptr = strchr(ptr, '/')
will be given a 'ptr' which is beyond the '\0' at the end of
"path". This could potentially contain anything and the strchr()
could search well beyond a buffer (though this depends on exactly how
the string is set up which depends on separate code).
So change the loop to have 'ptr' always point at a '/', and
handle the special case of "/" explicitly.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
-rw-r--r-- | utils/mountd/v4root.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c index 57ee0b2..708eb61 100644 --- a/utils/mountd/v4root.c +++ b/utils/mountd/v4root.c @@ -150,13 +150,13 @@ static int v4root_add_parents(nfs_export *exp) "pseudo export for '%s'", exp->m_export.e_path); return -ENOMEM; } - for (ptr = path + 1; ptr; ptr = strchr(ptr, '/')) { + for (ptr = path; ptr; ptr = strchr(ptr, '/')) { int ret; char saved; saved = *ptr; *ptr = '\0'; - ret = pseudofs_update(hostname, path, exp); + ret = pseudofs_update(hostname, *path ? path : "/", exp); if (ret) return ret; *ptr = saved; |