Re: rpc.mountd vulnerabilities

From: Olaf Kirch (okirat_private)
Date: Wed Sep 30 1998 - 03:00:44 PDT

Next message: joshua grubman: "Sun Security Bulletin #00176"

Previous message: Kevin Hawkins: "Re: IRIX 6.2 passwordless accounts exploit?"
Maybe in reply to: tiago: "rpc.mountd vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 29 Sep 1998 10:57:02 BST, tiago wrote:
>   I will send the diffs of a patch in one or two days.
>   I did not contact the maintainer of the distribution. Anyone would
> please do so?

Why? If you had had a look at the file called BUGS you would have found
instructions about where to submit bug reports: unfsdat_private
What more can a maintainer of a package do than use file names that
scream at you?

A patch against 2.2beta29 (which most people seem to be using at the
moment) is included. The latest tarball is available from
ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir/

afe0f88c48add25f304a387ae4fb40ba  nfs-server-2.2beta37.tar.gz


Olaf
- --
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okirat_private  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBNhIQgOFnVHXv40etAQEUhAP+KvwZ0fH2q1T+ygBzREyy80JAfwo74ZT2
/9gx0q2OfKeY+jZuSgBfdlSz3Mz3+9iY8QRaDBDIoybZD8BpKQ76jok451rWlnVX
nXJU7K7NYcgCmLmGn7EoH5kv2C5EojXkzLd3F45k+ceJP/rxdQntheb6tOGpTa1V
gD7BUlSwHiQ=
=ZhRc
-----END PGP SIGNATURE-----
------------------------------------------------------------------
diff -ur nfs-server-2.2beta29.orig/mount_dispatch.c nfs-server-2.2beta29/mount_dispatch.c
--- nfs-server-2.2beta29.orig/mount_dispatch.c  Wed Feb  5 17:07:28 1997
+++ nfs-server-2.2beta29/mount_dispatch.c       Wed Sep 30 12:04:52 1998
@@ -25,6 +25,8 @@
  */
 #define        MAXVERS         2

+#define NRENTRIES(x)   (sizeof(x) / sizeof((x)[0]))
+
 /*
  * This is a dispatch table to simplify error checking,
  * and supply return attributes for NFS functions.
@@ -95,8 +97,8 @@
 };

 static unsigned int            dtnrprocs[MAXVERS] = {
-       sizeof(mount_1_table),
-       sizeof(mount_2_table),
+       NRENTRIES(mount_1_table),
+       NRENTRIES(mount_2_table),
 };

 /*
@@ -114,12 +116,15 @@
        vers_index = rqstp->rq_vers - 1;
        _rpcsvcdirty = 1;

-       dtbl = dtable[vers_index];
-
+       if (vers_index >= MAXVERS) {
+               svcerr_progvers(transp, 1, MAXVERS);
+               goto done;
+       }
        if (proc_index >= dtnrprocs[vers_index]) {
                svcerr_noproc(transp);
                goto done;
        }
+       dtbl = dtable[vers_index];
        dent = &dtbl[proc_index];

        memset(&argument, 0, dent->arg_size);
------------------------------------------------------------------

Next message: joshua grubman: "Sun Security Bulletin #00176"
Previous message: Kevin Hawkins: "Re: IRIX 6.2 passwordless accounts exploit?"
Maybe in reply to: tiago: "rpc.mountd vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:27 PDT