diff mbox

exportfs crash with long path

Message ID 1349708828.1183.5.camel@lix (mailing list archive)
State New, archived
Headers show

Commit Message

Ivan Romanov Oct. 8, 2012, 3:07 p.m. UTC 
Hello. I opened a bug with nfs-utils on Redhat Bugzilla. And got an
advice to email upstream. So I just repeat my bug text with a patch.

How reproducible:
always

Steps to Reproduce:
# mkdir -p /home/kudinae/?????????????
# echo '/home/kudinae/????????????? oek-1(rw,sync,no_wdelay,no_root_squash,no_subtree_check)' > /etc/exports
# exportfs -a
Segmentation fault

I've obtained the sources. So a crush happens on export.c:293. variable
pos has negative value. I think problem into strtoint and export_hash
functions. strtoint has unsigned type and always returns positive value
but export_hash impicity cast it to signed int. So it is possible to
get negative value. I wrote patch to fix this.

Original Red Hat bug
https://bugzilla.redhat.com/show_bug.cgi?id=863054

Comments

J. Bruce Fields Oct. 10, 2012, 12:28 p.m. UTC | #1 
On Mon, Oct 08, 2012 at 09:07:08PM +0600, Ivan Romanov wrote:
> Hello. I opened a bug with nfs-utils on Redhat Bugzilla. And got an
> advice to email upstream. So I just repeat my bug text with a patch.
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> # mkdir -p /home/kudinae/?????????????
> # echo '/home/kudinae/????????????? oek-1(rw,sync,no_wdelay,no_root_squash,no_subtree_check)' > /etc/exports
> # exportfs -a
> Segmentation fault
> 
> I've obtained the sources. So a crush happens on export.c:293. variable
> pos has negative value. I think problem into strtoint and export_hash
> functions. strtoint has unsigned type and always returns positive value
> but export_hash impicity cast it to signed int. So it is possible to
> get negative value. I wrote patch to fix this.

The fix looks right to me, thanks.--b.

> 
> Original Red Hat bug
> https://bugzilla.redhat.com/show_bug.cgi?id=863054

> diff --git a/support/export/export.c b/support/export/export.c
> index 4fda30a..0257903 100644
> --- a/support/export/export.c
> +++ b/support/export/export.c
> @@ -357,7 +357,7 @@ strtoint(char *str)
>  static int 
>  export_hash(char *str)
>  {
> -	int num = strtoint(str);
> +	unsigned int num = strtoint(str);
>  
>  	return num % HASH_TABLE_SIZE;
>  }

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Steve Dickson Oct. 15, 2012, 5:13 p.m. UTC | #2 
On 08/10/12 11:07, Ivan Romanov wrote:
> Hello. I opened a bug with nfs-utils on Redhat Bugzilla. And got an
> advice to email upstream. So I just repeat my bug text with a patch.
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> # mkdir -p /home/kudinae/?????????????
> # echo '/home/kudinae/????????????? oek-1(rw,sync,no_wdelay,no_root_squash,no_subtree_check)' > /etc/exports
> # exportfs -a
> Segmentation fault
> 
> I've obtained the sources. So a crush happens on export.c:293. variable
> pos has negative value. I think problem into strtoint and export_hash
> functions. strtoint has unsigned type and always returns positive value
> but export_hash impicity cast it to signed int. So it is possible to
> get negative value. I wrote patch to fix this.
> 
> Original Red Hat bug
> https://bugzilla.redhat.com/show_bug.cgi?id=863054
> 
Committed...

steved.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/support/export/export.c b/support/export/export.c
index 4fda30a..0257903 100644
--- a/support/export/export.c
+++ b/support/export/export.c
@@ -357,7 +357,7 @@  strtoint(char *str)
 static int 
 export_hash(char *str)
 {
-	int num = strtoint(str);
+	unsigned int num = strtoint(str);
 
 	return num % HASH_TABLE_SIZE;
 }