rpc.mountd: Fix mountd segfault (bz 1713937)

Signed-off-by: Steve Dickson <steved@redhat.com>
2019-05-29 13:52:45 -04:00 · 2019-05-29 13:52:45 -04:00 · 5cf0e00030
commit 5cf0e00030
parent 4d64abcf4f
2 changed files with 88 additions and 1 deletions
--- a/nfs-utils-2.3.4-mountd-segfault.patch
+++ b/nfs-utils-2.3.4-mountd-segfault.patch
@ -0,0 +1,83 @@
 commit ca668e35d16ca296dee1bd000de8eb8d20433a21
 Author: Chuck Lever <chuck.lever@oracle.com>
 Date:   Tue May 28 10:02:49 2019 -0400
    rpc.mountd: Fix mountd segfault
    After commit 8f459a072f93 ("Remove abuse of ai_canonname") the
    ai_canonname field in addrinfo structs returned from
    host_reliable_addrinfo() is always NULL. This results in mountd
    segfaults when there are netgroups or hostname wildcards in
    /etc/exports.
    Add an extra DNS query in check_wildcard() and check_netgroup() to
    obtain the client's canonical hostname instead of dereferencing
    the NULL pointer.
    Reported-by: Mark Wagner <mark@lanfear.net>
    Fixes: 8f459a072f93 ("Remove abuse of ai_canonname")
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Steve Dickson <steved@redhat.com>
 diff --git a/support/export/client.c b/support/export/client.c
 index a1fba01..ea4f89d 100644
 --- a/support/export/client.c
 +++ b/support/export/client.c
@@ -608,24 +608,36 @@ check_subnetwork(const nfs_client *clp, const struct addrinfo *ai)
 static int
 check_wildcard(const nfs_client *clp, const struct addrinfo *ai)
 {
 -	char *cname = clp->m_hostname;
 -	char *hname = ai->ai_canonname;
 +	char *hname, *cname = clp->m_hostname;
 	struct hostent *hp;
 	char **ap;
 +	int match;
 -	if (wildmat(hname, cname))
 -		return 1;
 +	match = 0;
 +
 +	hname = host_canonname(ai->ai_addr);
 +	if (hname == NULL)
 +		goto out;
 +
 +	if (wildmat(hname, cname)) {
 +		match = 1;
 +		goto out;
 +	}
 	/* See if hname aliases listed in /etc/hosts or nis[+]
 	 * match the requested wildcard */
 	hp = gethostbyname(hname);
 	if (hp != NULL) {
 		for (ap = hp->h_aliases; *ap; ap++)
 -			if (wildmat(*ap, cname))
 -				return 1;
 +			if (wildmat(*ap, cname)) {
 +				match = 1;
 +				goto out;
 +			}
 	}
 -	return 0;
 +out:
 +	free(hname);
 +	return match;
 }
 /*
@@ -645,11 +657,9 @@ check_netgroup(const nfs_client *clp, const struct addrinfo *ai)
 	match = 0;
 -	hname = strdup(ai->ai_canonname);
 -	if (hname == NULL) {
 -		xlog(D_GENERAL, "%s: no memory for strdup", __func__);
 +	hname = host_canonname(ai->ai_addr);
 +	if (hname == NULL)
 		goto out;
 -	}
 	/* First, try to match the hostname without
 	 * splitting off the domain */
--- a/nfs-utils.spec
+++ b/nfs-utils.spec
@ -2,7 +2,7 @@ Summary: NFS utilities and supporting clients and daemons for the kernel NFS ser
 Name: nfs-utils
 URL: http://linux-nfs.org/
 Version: 2.3.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 1
 # group all 32bit related archs
@ -19,6 +19,7 @@ Source6: nfs-convert.service
 Patch001: nfs-utils-2.3.4-mount-fallback.patch
 Patch002: nfs-utils-2.3.4-PRIx64-integers.patch
 Patch003: nfs-utils-2.3.4-mountd-memleak.patch
 Patch004: nfs-utils-2.3.4-mountd-segfault.patch
 Patch100: nfs-utils-1.2.1-statdpath-man.patch
 Patch101: nfs-utils-1.2.1-exp-subtree-warn-off.patch
@ -362,6 +363,9 @@ fi
 %{_pkgdir}/*/var-lib-nfs-rpc_pipefs.mount
 %changelog
 * Tue May 28 2019 Steve Dickson <steved@redhat.com> 2.3.4-2
 - rpc.mountd: Fix mountd segfault (bz 1713937)
 * Thu May 23 2019 Steve Dickson <steved@redhat.com> 2.3.4-1
 - mount: Report correct error in the fall_back cases (bz 1709961)
 - sqlite.c: Use PRIx64 macro to print 64-bit integers