Bug 169230 - CVE-2005-4798 nfs client: handle long symlinks properly
CVE-2005-4798 nfs client: handle long symlinks properly
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Dickson
Brian Brock
impact=moderate,source=bugzilla,repor...
: Security
Depends On:
Blocks: 168424
  Show dependency treegraph
 
Reported: 2005-09-25 13:13 EDT by Steve Dickson
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2006-0144
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-15 11:42:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Dickson 2005-09-25 13:13:10 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909 Fedora/1.7.10-1.3.2

Description of problem:
In 2.4.31, the v2/3 nfs readlink accepts too long symlinks.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.have a server return long symlinks.
2.
3.
  

Actual Results:  symlink is truncated

Expected Results:  An error should be returned.

Additional info:

The LKML thread: http://lkml.org/lkml/2005/9/12/105
The updstream fix:

tree be323c0a65d7e380ad04cad1c3a80015a82056dd
parent bb52ef60b5caa8f973523eda15d3c3941f298e63
author Assar <assar@permabit.com> Thu, 15 Sep 2005 00:59:25 -0400
committer Marcelo Tosatti <marcelo@dmt.cnet> Thu, 22 Sep 2005 19:11:18 -0300

[PATCH] nfs client: handle long symlinks properly

In 2.4.31, the v2/3 nfs readlink accepts too long symlinks.
I have tested this by having a server return long symlinks.

diff -u linux-2.4.31.orig/fs/nfs/nfs2xdr.c linux-2.4.31/fs/nfs/nfs2xdr.c

 fs/nfs/nfs2xdr.c |    7 +++++--
 fs/nfs/nfs3xdr.c |    7 +++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/fs/nfs/nfs2xdr.c b/fs/nfs/nfs2xdr.c
--- a/fs/nfs/nfs2xdr.c
+++ b/fs/nfs/nfs2xdr.c
@@ -571,8 +571,11 @@ nfs_xdr_readlinkres(struct rpc_rqst *req
 	strlen = (u32*)kmap(rcvbuf->pages[0]);
 	/* Convert length of symlink */
 	len = ntohl(*strlen);
-	if (len > rcvbuf->page_len)
-		len = rcvbuf->page_len;
+	if (len >= rcvbuf->page_len - sizeof(u32) || len > NFS2_MAXPATHLEN) {
+		printk(KERN_WARNING "NFS: server returned giant symlink!\n");
+		kunmap(rcvbuf->pages[0]);
+		return -ENAMETOOLONG;
+        }
 	*strlen = len;
 	/* NULL terminate the string we got */
 	string = (char *)(strlen + 1);
diff --git a/fs/nfs/nfs3xdr.c b/fs/nfs/nfs3xdr.c
--- a/fs/nfs/nfs3xdr.c
+++ b/fs/nfs/nfs3xdr.c
@@ -759,8 +759,11 @@ nfs3_xdr_readlinkres(struct rpc_rqst *re
 	strlen = (u32*)kmap(rcvbuf->pages[0]);
 	/* Convert length of symlink */
 	len = ntohl(*strlen);
-	if (len > rcvbuf->page_len)
-		len = rcvbuf->page_len;
+	if (len >= rcvbuf->page_len - sizeof(u32)) {
+		printk(KERN_WARNING "NFS: server returned giant symlink!\n");
+		kunmap(rcvbuf->pages[0]);
+		return -ENAMETOOLONG;
+        }
 	*strlen = len;
 	/* NULL terminate the string we got */
 	string = (char *)(strlen + 1);
-
Comment 2 Ernie Petrides 2005-11-02 20:48:09 EST
A fix for this problem has just been committed to the RHEL3 U7
patch pool this evening (in kernel version 2.4.21-37.8.EL).
Comment 5 Red Hat Bugzilla 2006-03-15 11:42:31 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0144.html
Comment 6 Marcel Holtmann 2006-05-10 10:41:16 EDT
This has been assigned CVE-2005-4798.

Note You need to log in before you can comment on or make changes to this bug.