[8092] in bugtraq
Re: rpc.mountd vulnerabilities
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Wed Sep 30 13:55:25 1998
Date: Wed, 30 Sep 1998 12:00:44 +0200
Reply-To: Olaf Kirch <okir@MONAD.SWB.DE>
From: Olaf Kirch <okir@MONAD.SWB.DE>
X-To: tiago <tiagor@SOLSUNI.PT>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Tue, 29 Sep 1998 10:57:02 BST."
<3610AEED.7024F8BB@solsuni.pt>
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 29 Sep 1998 10:57:02 BST, tiago wrote:
> I will send the diffs of a patch in one or two days.
> I did not contact the maintainer of the distribution. Anyone would
> please do so?
Why? If you had had a look at the file called BUGS you would have found
instructions about where to submit bug reports: unfsd@monad.swb.de.
What more can a maintainer of a package do than use file names that
scream at you?
A patch against 2.2beta29 (which most people seem to be using at the
moment) is included. The latest tarball is available from
ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir/
afe0f88c48add25f304a387ae4fb40ba nfs-server-2.2beta37.tar.gz
Olaf
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBNhIQgOFnVHXv40etAQEUhAP+KvwZ0fH2q1T+ygBzREyy80JAfwo74ZT2
/9gx0q2OfKeY+jZuSgBfdlSz3Mz3+9iY8QRaDBDIoybZD8BpKQ76jok451rWlnVX
nXJU7K7NYcgCmLmGn7EoH5kv2C5EojXkzLd3F45k+ceJP/rxdQntheb6tOGpTa1V
gD7BUlSwHiQ=
=ZhRc
-----END PGP SIGNATURE-----
------------------------------------------------------------------
diff -ur nfs-server-2.2beta29.orig/mount_dispatch.c nfs-server-2.2beta29/mount_dispatch.c
--- nfs-server-2.2beta29.orig/mount_dispatch.c Wed Feb 5 17:07:28 1997
+++ nfs-server-2.2beta29/mount_dispatch.c Wed Sep 30 12:04:52 1998
@@ -25,6 +25,8 @@
*/
#define MAXVERS 2
+#define NRENTRIES(x) (sizeof(x) / sizeof((x)[0]))
+
/*
* This is a dispatch table to simplify error checking,
* and supply return attributes for NFS functions.
@@ -95,8 +97,8 @@
};
static unsigned int dtnrprocs[MAXVERS] = {
- sizeof(mount_1_table),
- sizeof(mount_2_table),
+ NRENTRIES(mount_1_table),
+ NRENTRIES(mount_2_table),
};
/*
@@ -114,12 +116,15 @@
vers_index = rqstp->rq_vers - 1;
_rpcsvcdirty = 1;
- dtbl = dtable[vers_index];
-
+ if (vers_index >= MAXVERS) {
+ svcerr_progvers(transp, 1, MAXVERS);
+ goto done;
+ }
if (proc_index >= dtnrprocs[vers_index]) {
svcerr_noproc(transp);
goto done;
}
+ dtbl = dtable[vers_index];
dent = &dtbl[proc_index];
memset(&argument, 0, dent->arg_size);
------------------------------------------------------------------
