From j@static1.orbus.fr  Wed Jan 21 01:36:39 2004
Return-Path: <j@static1.orbus.fr>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D669B16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Jan 2004 01:36:38 -0800 (PST)
Received: from static1.orbus.fr (dax.orbus.fr [212.129.63.67])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 23E5343D41
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Jan 2004 01:36:37 -0800 (PST)
	(envelope-from j@static1.orbus.fr)
Received: from static1.orbus.fr (localhost.orbus.fr [127.0.0.1])
	by static1.orbus.fr (8.12.10/8.12.10) with ESMTP id i0L9aXPH062411
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Jan 2004 10:36:33 +0100 (CET)
	(envelope-from j@static1.orbus.fr)
Received: (from root@localhost)
	by static1.orbus.fr (8.12.10/8.12.10/Submit) id i0L9aWrP062410;
	Wed, 21 Jan 2004 10:36:32 +0100 (CET)
	(envelope-from j)
Message-Id: <200401210936.i0L9aWrP062410@static1.orbus.fr>
Date: Wed, 21 Jan 2004 10:36:32 +0100 (CET)
From: Frank Denis -Jedi/Sector One- <j@pureftpd.org>
Reply-To: Frank Denis -Jedi/Sector One- <j@pureftpd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: mount_nfs parsing bug, segmentation fault
X-Send-Pr-Version: 3.113
X-GNATS-Notify: vs

>Number:         61666
>Category:       bin
>Synopsis:       [patch] mount_nfs(8) parsing bug, segmentation fault
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    vwe
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 21 01:40:16 PST 2004
>Closed-Date:    Sun Jan 18 22:31:25 UTC 2009
>Last-Modified:  Sun Jan 18 22:31:25 UTC 2009
>Originator:     Frank DENIS -Jedi/Sector One-
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
42 Networks
>Environment:
System: FreeBSD static1.orbus.fr 4.9-STABLE FreeBSD 4.9-STABLE #0: Sat Nov 1 14:25:14 CET 2003 root@dax.orbus.fr:/usr/obj/usr/src/sys/J i386
>Description:

There's a problem with the way mount_nfs(8) parses
acregmin/acregmax/acdirmin and acdirmax.

Look at the code :

                        if (altflags & ALTF_ACREGMIN) {
                                nfsargsp->flags |= NFSMNT_ACREGMIN;
                                nfsargsp->acregmin =
                                    atoi(strstr(optarg, "acregmin=") + 9);
                        }
                        if (altflags & ALTF_ACREGMAX) {
                                nfsargsp->flags |= NFSMNT_ACREGMAX;
                                nfsargsp->acregmax =
                                    atoi(strstr(optarg, "acregmax=") + 9);
                        }


For instance if we use both acregmin and acregmax :

- on the first round, the ALTF_ACREGMIN will be set, everything's allright.

- on the next round (when optarg willl be "acregmax=xxx"), the first
statement will also get evaluated because ALTF_ACREGMIN has been set.
But strstr(optarg, "acregmin=") will be NULL. Dereferencing NULL + 9 produces
an obvious segmentation fault.

>How-To-Repeat:

Try for instance to mount a filesystem with acregmin=2,acregmax=2.
A segmentation fault occurs even when the command has not been started by
root.

>Fix:

-

>Release-Note:
>Audit-Trail:

From: Volker Stolz <stolz@i2.informatik.rwth-aachen.de>
To: freebsd-gnats-submit@FreeBSD.org, j@pureftpd.org
Cc:  
Subject: Re: bin/61666: mount_nfs parsing bug, segmentation fault
Date: Wed, 18 Feb 2004 12:48:38 +0100

 --cWoXeonUoKmBZSoM
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 The attached patch *should* help, but probably needs careful review.
 The option handling is mind-boggling anyway, especially w.r.t.
 'mountmode'. As 'getmntopts' and 'set_flags' are side-effect free,
 I'm confident it does the Right Thing. Patched and tested against
 -STABLE.
 
 Cheers,
   Volker
 -- 
 http://www-i2.informatik.rwth-aachen.de/stolz/ *** PGP *** S/MIME
 rage against the finite state machine 
 
 --cWoXeonUoKmBZSoM
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename=mount_nfs
 
 --- mount_nfs/mount_nfs.c	Tue Aug  5 10:56:03 2003
 +++ vs.mount_nfs/mount_nfs.c	Wed Feb 18 12:12:46 2004
 @@ -259,7 +259,7 @@
  	register struct nfs_args *nfsargsp;
  	struct nfs_args nfsargs;
  	struct nfsd_cargs ncd;
 -	int mntflags, altflags, nfssvc_flag, num;
 +	int mntflags, altflags, curflags, nfssvc_flag, num;
  	char *name, *p, *spec;
  	char mntpath[MAXPATHLEN];
  	struct vfsconf vfc;
 @@ -355,43 +355,47 @@
  			nfsargsp->flags &= ~NFSMNT_RESVPORT;
  			break;
  		case 'o':
 -			altflags = 0;
 +			altflags = curflags = 0;
 +			/* Get flags in current -o */
 +			getmntopts(optarg, mopts, &mntflags, &curflags);
  			set_flags(&altflags, &nfsargsp->flags, TRUE);
 +			/* NetBSD handles conflicting mountmodes much nicer */
  			if (mountmode == V2)
 -				altflags |= ALTF_NFSV2;
 +				curflags |= ALTF_NFSV2;
  			else if (mountmode == V3)
 -				altflags |= ALTF_NFSV3;
 -			getmntopts(optarg, mopts, &mntflags, &altflags);
 +				curflags |= ALTF_NFSV3;
 +			/* Join old and new flags */
 +			altflags = altflags | curflags;
  			set_flags(&altflags, &nfsargsp->flags, FALSE);
  			/*
 -			 * Handle altflags which don't map directly to
 +			 * Handle curflags which don't map directly to
  			 * mount flags.
  			 */
 -			if(altflags & ALTF_BG)
 +			if(curflags & ALTF_BG)
  				opflags |= BGRND;
 -			if(altflags & ALTF_MNTUDP)
 +			if(curflags & ALTF_MNTUDP)
  				mnttcp_ok = 0;
 -			if(altflags & ALTF_TCP) {
 +			if(curflags & ALTF_TCP) {
  				nfsargsp->sotype = SOCK_STREAM;
  				nfsproto = IPPROTO_TCP;
  			}
 -			if(altflags & ALTF_PORT)
 +			if(curflags & ALTF_PORT)
  				port_no = atoi(strstr(optarg, "port=") + 5);
  			mountmode = ANY;
 -			if(altflags & ALTF_NFSV2)
 +			if(curflags & ALTF_NFSV2)
  				mountmode = V2;
 -			if(altflags & ALTF_NFSV3)
 +			if(curflags & ALTF_NFSV3)
  				mountmode = V3;
 -			if(altflags & ALTF_ACREGMIN)
 +			if(curflags & ALTF_ACREGMIN)
  				nfsargsp->acregmin = atoi(strstr(optarg,
  				    "acregmin=") + 9);
 -			if(altflags & ALTF_ACREGMAX)
 +			if(curflags & ALTF_ACREGMAX)
  				nfsargsp->acregmax = atoi(strstr(optarg,
  				    "acregmax=") + 9);
 -			if(altflags & ALTF_ACDIRMIN)
 +			if(curflags & ALTF_ACDIRMIN)
  				nfsargsp->acdirmin = atoi(strstr(optarg,
  				    "acdirmin=") + 9);
 -			if(altflags & ALTF_ACDIRMAX)
 +			if(curflags & ALTF_ACDIRMAX)
  				nfsargsp->acdirmax = atoi(strstr(optarg,
  				    "acdirmax=") + 9);
  			break;
 
 --cWoXeonUoKmBZSoM--
Responsible-Changed-From-To: freebsd-bugs->peter 
Responsible-Changed-By: vs 
Responsible-Changed-When: Thu Jul 15 10:18:35 GMT 2004 
Responsible-Changed-Why:  
Peter looked at this some time ago. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=61666 

From: Volker <volker@vwsoft.com>
To: bug-followup@FreeBSD.org, j@pureftpd.org
Cc:  
Subject: Re: bin/61666: [patch] mount_nfs(8) parsing bug, segmentation fault
Date: Mon, 11 Feb 2008 13:04:47 +0100

 Still an issue or can we close this PR?

From: "Garrett Cooper" <yanefbsd@gmail.com>
To: bug-followup@FreeBSD.org, j@pureftpd.org
Cc:  
Subject: Re: bin/61666: [patch] mount_nfs(8) parsing bug, segmentation fault
Date: Fri, 20 Jun 2008 19:41:07 -0700

 Still an issue according to cvs.
 -Garrett

From: "Garrett Cooper" <yanefbsd@gmail.com>
To: bug-followup@FreeBSD.org, j@pureftpd.org
Cc:  
Subject: Re: bin/61666: [patch] mount_nfs(8) parsing bug, segmentation fault
Date: Fri, 20 Jun 2008 19:43:53 -0700

 Nevermind. Someone added in an if-statement that covers the null check.
 -Garrett
State-Changed-From-To: open->closed 
State-Changed-By: vwe 
State-Changed-When: Sun Jan 18 22:19:28 UTC 2009 
State-Changed-Why:  
the issue mentioned has been fixed with rev 1.56 in HEAD (year 2002). 
By reviewing the code currently in cvs/svn, the problem should 
not occour anymore. 
The change never made it into the RELENG_4 branch which has EOL'd 
long time ago. 


Responsible-Changed-From-To: peter->vwe 
Responsible-Changed-By: vwe 
Responsible-Changed-When: Sun Jan 18 22:19:28 UTC 2009 
Responsible-Changed-Why:  
track 

http://www.freebsd.org/cgi/query-pr.cgi?pr=61666 
>Unformatted:
