From mike@marker.cs.utah.edu  Thu Apr 24 16:50:37 1997
Received: from marker.cs.utah.edu (marker.cs.utah.edu [155.99.212.61])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA10186
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 24 Apr 1997 16:50:36 -0700 (PDT)
Received: (from mike@localhost) by marker.cs.utah.edu (8.8.5/8.7.3) id RAA22720; Thu, 24 Apr 1997 17:50:32 -0600 (MDT)
Message-Id: <199704242350.RAA22720@marker.cs.utah.edu>
Date: Thu, 24 Apr 1997 17:50:32 -0600 (MDT)
From: Mike Hibler <mike@marker.cs.utah.edu>
Reply-To: mike@marker.cs.utah.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: kernel bug: typo in mount export list processing
X-Send-Pr-Version: 3.2

>Number:         3380
>Category:       kern
>Synopsis:       typo in mount export list processing
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 24 17:00:01 PDT 1997
>Closed-Date:    Thu Apr 24 23:50:53 PDT 1997
>Last-Modified:  Thu Apr 24 23:54:18 PDT 1997
>Originator:     Mike Hibler
>Release:        FreeBSD 2.1.7-RELEASE i386
>Organization:
U.of U.
>Environment:

	All current versions of {open,net,free}bsd

>Description:

	There is a typo in mount's export list processing that results in FSes
	being exported to more networks than intended (though unlikely, it
	could be exploited via NFS, hence the "serious" and "high" rating.

	In kern/vfs_subr() in vfs_hang_addrlist:

	if (argp->ex_masklen) {
		smask = (struct sockaddr *) ((caddr_t) saddr + argp->ex_addrlen);
		error = copyin(argp->ex_addr, (caddr_t) smask, argp->ex_masklen);
		if (error)
			goto out;
		if (smask->sa_len > argp->ex_masklen)
		smask->sa_len = argp->ex_masklen;
	}

	copyin is using argp->ex_addr instead of argp->ex_mask as the address
	of the mask.

>How-To-Repeat:

	N/A

>Fix:
	
	Change ex_addr to ex_mask in the copyin.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: peter 
State-Changed-When: Thu Apr 24 23:50:53 PDT 1997 
State-Changed-Why:  
Suggested fix applied, Thanks! 
sys_kern.c, rev 1.83 (current), 1.64.2.4 (2.2), 1.30.4.4 (2.1) 
>Unformatted:
