Possible memory corruption and leak in mount_nfs(1m)
The get_fh() function in usr/src/cmd/fs.d/nfs/mount/mount.c might be called several times in a loop. In a case the MOUNTVERS3 is used, the following code is executed:
2243 case MOUNTVERS3: 2244 *versp = nfsvers_to_use = NFS_V3; 2245 rpc_stat = clnt_call(cl, MOUNTPROC_MNT, xdr_dirpath, 2246 (caddr_t)&fspath, xdr_mountres3, (caddr_t)&mountres3, 2247 timeout);
On the first get_fh() call everything goes well; the mountres3 is filled with the received data, memory for fhandle and auth_flavors is allocated (see the documentation for xdr_bytes() and xdr_array()).
On the second get_fh() call, the mountres3 is reused (since it is declared static) and the previously allocated memory (for fhandle and auth_flavors) pointed by the mountres3 is reused as well.
In a case the pre-allocated (allocated during the 1st call) buffers are smaller than the data we need to decode from the 2nd call, the xdr_mountres3() could corrupt the memory (write past the allocated buffers).
In addition, the buffers allocated in xdr_mountres3() are leaked, since there is missing call to clnt_freeres() for mountres3.
The similar problem is with fhs and p local variables in get_fh() too.
To fix the memory corruption we need to set the affected variables to zero (using memset(), for example).
No data to display