[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-nfs
Subject: Re: [NFS] [PATCH 11/11] nfs-utils: mount: Fixed collision between
From: Neil Brown <neilb () suse ! de>
Date: 2007-02-28 23:33:53
Message-ID: 17894.4449.797539.255376 () notabene ! brown
[Download RAW message or body]
On Tuesday February 27, kzak@redhat.com wrote:
> On Tue, Feb 27, 2007 at 05:35:58PM +1100, Neil Brown wrote:
> > On Monday February 26, SteveD@redhat.com wrote:
> > > commit 96a3ceb3d35bf5edcb9446aded8375d3b98b4f5b
> > > Author: Cory Olmo <colmo@TrustedCS.com>
> > > Date: Sat Feb 24 16:20:40 2007 -0500
> > >
> > > This patch avoid the collision between commas in security contexts and the
> > > delimiter betweeen mount options.
> > >
> > > Signed-off-by: Karel Zak <kzak@redhat.com>
> > > Signed-off-by: Cory Olmo <colmo@TrustedCS.com>
> > >
> > > diff --git a/utils/mount/mount.c b/utils/mount/mount.c
> > > index b3d3696..f22747b 100644
> > > --- a/utils/mount/mount.c
> > > +++ b/utils/mount/mount.c
> > > @@ -285,18 +285,30 @@ static void parse_opts (const char *options, int *flags, char **extra_opts)
> > > {
> > > if (options != NULL) {
> > > char *opts = xstrdup(options);
> > > - char *opt;
> > > - int len = strlen(opts) + 20;
> > > -
> > > + char *opt, *p;
> > > + int len = strlen(opts) + 256;
> >
> > This is a worry. If 20 isn't big enough, why do you thing 256 will
>
> The 20 was big enough for conversion from usernames to UIDs, but it's
> not enough for selinux context names. I didn't found any definition
> for maximal length of selinux context name, so we need to select any
> range and assume that it's enough (or completely rewrite this part of
> the mount command and allocate all dynamically).
>
> > be? and where do we check that the buffer doesn't overflow (in this
> > setuid program).
>
> Please, read the code. We check the buffer size everywhere. I don't
> see there any place where the buffer can overflow.
OK, so I did read the code a bit more carefully, and now I'm even more
confused and concerned.
Firstly, I didn't notice that 'len' was being passed into parse_opt.
However the way it is being passed makes it totally useless.
parse_opt is called in a loop from parse_opts and each time it reduces
'len' by the amount that is added to 'extra_opts'.
However 'len' is passed by value, not by reference, so each time
around it starts at the same value and so is not effective in making
sure that extra_opts doesn't overflow it's buffer.
But further, I cannot see how extra_opts ever needs to be large than
'options'. All that is ever appended to it are sections that have
been removed from 'options'. So why was the +20 there in the first
place.
You mention "conversion from usernames to UIDs", but I cannot find
that anywhere. Could you please help me understand exactly why
"extra_opts" needs to be larger than "options" ??
Thanks,
NeilBrown
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic