Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Jan 2004 10:36:32 +0100 (CET)
From:      Frank Denis -Jedi/Sector One- <j@pureftpd.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   bin/61666: mount_nfs parsing bug, segmentation fault
Message-ID:  <200401210936.i0L9aWrP062410@static1.orbus.fr>
Resent-Message-ID: <200401210940.i0L9eIjc062673@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         61666
>Category:       bin
>Synopsis:       mount_nfs parsing bug, segmentation fault
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 21 01:40:16 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Frank DENIS -Jedi/Sector One-
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
42 Networks
>Environment:
System: FreeBSD static1.orbus.fr 4.9-STABLE FreeBSD 4.9-STABLE #0: Sat Nov 1 14:25:14 CET 2003 root@dax.orbus.fr:/usr/obj/usr/src/sys/J i386
>Description:

There's a problem with the way mount_nfs(8) parses
acregmin/acregmax/acdirmin and acdirmax.

Look at the code :

                        if (altflags & ALTF_ACREGMIN) {
                                nfsargsp->flags |= NFSMNT_ACREGMIN;
                                nfsargsp->acregmin =
                                    atoi(strstr(optarg, "acregmin=") + 9);
                        }
                        if (altflags & ALTF_ACREGMAX) {
                                nfsargsp->flags |= NFSMNT_ACREGMAX;
                                nfsargsp->acregmax =
                                    atoi(strstr(optarg, "acregmax=") + 9);
                        }


For instance if we use both acregmin and acregmax :

- on the first round, the ALTF_ACREGMIN will be set, everything's allright.

- on the next round (when optarg willl be "acregmax=xxx"), the first
statement will also get evaluated because ALTF_ACREGMIN has been set.
But strstr(optarg, "acregmin=") will be NULL. Dereferencing NULL + 9 produces
an obvious segmentation fault.

>How-To-Repeat:

Try for instance to mount a filesystem with acregmin=2,acregmax=2.
A segmentation fault occurs even when the command has not been started by
root.

>Fix:

-

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200401210936.i0L9aWrP062410>