From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909 Fedora/1.7.10-1.3.2 Description of problem: In 2.4.31, the v2/3 nfs readlink accepts too long symlinks. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.have a server return long symlinks. 2. 3. Actual Results: symlink is truncated Expected Results: An error should be returned. Additional info: The LKML thread: http://lkml.org/lkml/2005/9/12/105 The updstream fix: tree be323c0a65d7e380ad04cad1c3a80015a82056dd parent bb52ef60b5caa8f973523eda15d3c3941f298e63 author Assar <assar> Thu, 15 Sep 2005 00:59:25 -0400 committer Marcelo Tosatti <marcelo> Thu, 22 Sep 2005 19:11:18 -0300 [PATCH] nfs client: handle long symlinks properly In 2.4.31, the v2/3 nfs readlink accepts too long symlinks. I have tested this by having a server return long symlinks. diff -u linux-2.4.31.orig/fs/nfs/nfs2xdr.c linux-2.4.31/fs/nfs/nfs2xdr.c fs/nfs/nfs2xdr.c | 7 +++++-- fs/nfs/nfs3xdr.c | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/fs/nfs/nfs2xdr.c b/fs/nfs/nfs2xdr.c --- a/fs/nfs/nfs2xdr.c +++ b/fs/nfs/nfs2xdr.c @@ -571,8 +571,11 @@ nfs_xdr_readlinkres(struct rpc_rqst *req strlen = (u32*)kmap(rcvbuf->pages[0]); /* Convert length of symlink */ len = ntohl(*strlen); - if (len > rcvbuf->page_len) - len = rcvbuf->page_len; + if (len >= rcvbuf->page_len - sizeof(u32) || len > NFS2_MAXPATHLEN) { + printk(KERN_WARNING "NFS: server returned giant symlink!\n"); + kunmap(rcvbuf->pages[0]); + return -ENAMETOOLONG; + } *strlen = len; /* NULL terminate the string we got */ string = (char *)(strlen + 1); diff --git a/fs/nfs/nfs3xdr.c b/fs/nfs/nfs3xdr.c --- a/fs/nfs/nfs3xdr.c +++ b/fs/nfs/nfs3xdr.c @@ -759,8 +759,11 @@ nfs3_xdr_readlinkres(struct rpc_rqst *re strlen = (u32*)kmap(rcvbuf->pages[0]); /* Convert length of symlink */ len = ntohl(*strlen); - if (len > rcvbuf->page_len) - len = rcvbuf->page_len; + if (len >= rcvbuf->page_len - sizeof(u32)) { + printk(KERN_WARNING "NFS: server returned giant symlink!\n"); + kunmap(rcvbuf->pages[0]); + return -ENAMETOOLONG; + } *strlen = len; /* NULL terminate the string we got */ string = (char *)(strlen + 1); -
A fix for this problem has just been committed to the RHEL3 U7 patch pool this evening (in kernel version 2.4.21-37.8.EL).
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0144.html
This has been assigned CVE-2005-4798.