Project

General

Profile

Bug #5059

Possible memory corruption and leak in mount_nfs(1m)

Added by Marcel Telka almost 6 years ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
nfs - NFS server and client
Start date:
2014-07-31
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

The get_fh() function in usr/src/cmd/fs.d/nfs/mount/mount.c might be called several times in a loop. In a case the MOUNTVERS3 is used, the following code is executed:

2243    case MOUNTVERS3:
2244        *versp = nfsvers_to_use = NFS_V3;
2245        rpc_stat = clnt_call(cl, MOUNTPROC_MNT, xdr_dirpath,
2246            (caddr_t)&fspath, xdr_mountres3, (caddr_t)&mountres3,
2247            timeout);

On the first get_fh() call everything goes well; the mountres3 is filled with the received data, memory for fhandle and auth_flavors is allocated (see the documentation for xdr_bytes() and xdr_array()).

On the second get_fh() call, the mountres3 is reused (since it is declared static) and the previously allocated memory (for fhandle and auth_flavors) pointed by the mountres3 is reused as well.

In a case the pre-allocated (allocated during the 1st call) buffers are smaller than the data we need to decode from the 2nd call, the xdr_mountres3() could corrupt the memory (write past the allocated buffers).

In addition, the buffers allocated in xdr_mountres3() are leaked, since there is missing call to clnt_freeres() for mountres3.

The similar problem is with fhs and p local variables in get_fh() too.

To fix the memory corruption we need to set the affected variables to zero (using memset(), for example).

Also available in: Atom PDF