Project

General

Profile

Actions

Bug #7408

closed

possible NULL pointer dereference in mountd`mount

Added by Yuri Pankov almost 6 years ago. Updated about 5 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
nfs - NFS server and client
Start date:
2016-09-27
Due date:
% Done:

0%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:
External Bug:

Description

The following code in mountd's mount() function (with my comments added) could call mntlist_new() with host being NULL, mntlist_new() itself doesn't check for NULL:

        if (cln_havehost(&cln))
                host = cln_gethost(&cln); --- can be NULL

        if (verbose)
                syslog(LOG_NOTICE, "MOUNT: %s %s %s",
                    (host == NULL) ? "unknown host" : host,
                    error ? "denied" : "mounted", path);

        /*
         * If we can not create a queue entry, go ahead and do it
         * in the context of this thread.
         */
        enqueued = enqueue_logging_data(host, transp, path, rpath,
            audit_status, error);
        if (enqueued == FALSE) {
                if (host == NULL) {
                        DTRACE_PROBE(mountd, name_by_in_thread);
                        host = cln_gethost(&cln); <--- still can be NULL
                }

                DTRACE_PROBE(mountd, logged_in_thread);
                audit_mountd_mount(host, path, audit_status); /* BSM */
                if (!error)
                        mntlist_new(host, rpath); /* add entry to mount list */ <--- possibly calling mntlist_new() with host being NULL
        }

Actions #1

Updated by Yuri Pankov about 5 years ago

  • Status changed from In Progress to Feedback
  • Assignee deleted (Yuri Pankov)
  • % Done changed from 50 to 0
Actions #2

Updated by Yuri Pankov about 5 years ago

  • Status changed from Feedback to Rejected
Actions

Also available in: Atom PDF