share/security/patches/SA-10:06/nfsclient.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

Index: sys/nfsclient/nfs_vfsops.c
===================================================================
--- sys/nfsclient/nfs_vfsops.c	(revision 208414)
+++ sys/nfsclient/nfs_vfsops.c	(working copy)
@@ -1074,6 +1074,11 @@
 		error = EINVAL;
 		goto out;
 	}
+	if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) {
+		vfs_mount_error(mp, "Bad file handle");
+		error = EINVAL;
+		goto out;
+	}

 	if (mp->mnt_flag & MNT_UPDATE) {
 		struct nfsmount *nmp = VFSTONFS(mp);
Index: lib/libc/sys/mount.2
===================================================================
--- lib/libc/sys/mount.2	(revision 208535)
+++ lib/libc/sys/mount.2	(working copy)
@@ -107,7 +107,7 @@
 .Va vfs.usermount
 .Xr sysctl 8
 variable
-to a non-zero value.
+to a non-zero value; see the BUGS section for more information.
 .Pp
 The following
 .Fa flags
@@ -374,3 +374,10 @@
 .Fx 5.0 .
 .Sh BUGS
 Some of the error codes need translation to more obvious messages.
+.Pp
+Allowing untrusted users to mount arbitrary media, e.g. by enabling
+.Va vfs.usermount ,
+should not be considered safe.
+Most file systems in
+.Fx
+were not built to safeguard against malicious devices.