diff options
author | erwin <erwin@FreeBSD.org> | 2005-12-22 21:02:12 +0000 |
---|---|---|
committer | erwin <erwin@FreeBSD.org> | 2005-12-22 21:02:12 +0000 |
commit | d0e2ac9aeac155578eb7d4f9e1d0f91655989ccf (patch) | |
tree | f293014e1ac1e08f0240dc165b3a514a2d1bf6a9 | |
parent | 0c8b4542e0ce4f684c11e17ea81e497c956ecf32 (diff) | |
download | FreeBSD-ports-d0e2ac9aeac155578eb7d4f9e1d0f91655989ccf.zip FreeBSD-ports-d0e2ac9aeac155578eb7d4f9e1d0f91655989ccf.tar.gz |
The attached patch fixes a buffer overflow vulnerability and fixes building on
FreeBSD 7.0. Furthermore nbd.h has been updated to a version from a newer
Linux kernel.
Requested by: remko
-rw-r--r-- | net/nbd-server/Makefile | 9 | ||||
-rw-r--r-- | net/nbd-server/files/nbd.h | 25 | ||||
-rw-r--r-- | net/nbd-server/files/patch-nbd-server.c | 26 |
3 files changed, 41 insertions, 19 deletions
diff --git a/net/nbd-server/Makefile b/net/nbd-server/Makefile index 9bcc6cd..7ae01e8 100644 --- a/net/nbd-server/Makefile +++ b/net/nbd-server/Makefile @@ -7,6 +7,7 @@ PORTNAME= nbd-server PORTVERSION= 2.8.2 +PORTREVISION= 1 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= nbd @@ -25,13 +26,7 @@ CONFIGURE_ARGS= --prefix=${PREFIX} --enable-lfs --enable-syslog PLIST_FILES= bin/nbd-server MAN1= nbd-server.1 -.include <bsd.port.pre.mk> - -.if ${OSVERSION} >= 700000 -BROKEN= "GCC fails on FreeBSD >= 7.0" -.endif - post-extract: @${CP} ${FILESDIR}/nbd.h ${WRKSRC} -.include <bsd.port.post.mk> +.include <bsd.port.mk> diff --git a/net/nbd-server/files/nbd.h b/net/nbd-server/files/nbd.h index dcb0228..090e210 100644 --- a/net/nbd-server/files/nbd.h +++ b/net/nbd-server/files/nbd.h @@ -8,6 +8,8 @@ * 2003/06/24 Louis D. Langholtz <ldl@aros.net> * Removed unneeded blksize_bits field from nbd_device struct. * Cleanup PARANOIA usage & code. + * 2004/02/19 Paul Clements + * Removed PARANOIA, plus various cleanup and comments */ #ifndef LINUX_NBD_H @@ -32,22 +34,19 @@ enum { #define nbd_cmd(req) ((req)->cmd[0]) #define MAX_NBD 128 -/* Define PARANOIA to include extra sanity checking code in here & driver */ -#define PARANOIA - /* userspace doesn't need the nbd_device structure */ #ifdef __KERNEL__ +/* values for flags field */ +#define NBD_READ_ONLY 0x0001 +#define NBD_WRITE_NOCHK 0x0002 + struct nbd_device { int flags; int harderror; /* Code of hard error */ -#define NBD_READ_ONLY 0x0001 -#define NBD_WRITE_NOCHK 0x0002 struct socket * sock; struct file * file; /* If == NULL, device is not ready, yet */ -#ifdef PARANOIA - int magic; /* FIXME: not if debugging is off */ -#endif + int magic; spinlock_t queue_lock; struct list_head queue_head;/* Requests are added here... */ struct semaphore tx_lock; @@ -58,16 +57,14 @@ struct nbd_device { #endif -/* This now IS in some kind of include file... */ - -/* These are send over network in request/reply magic field */ +/* These are sent over the network in the request/reply magic fields */ #define NBD_REQUEST_MAGIC 0x25609513 #define NBD_REPLY_MAGIC 0x67446698 /* Do *not* use magics: 0x12560953 0x96744668. */ /* - * This is packet used for communication between client and + * This is the packet used for communication between client and * server. All data are in network byte order. */ struct nbd_request { @@ -82,6 +79,10 @@ struct nbd_request { #endif ; +/* + * This is the reply packet that nbd-server sends back to the client after + * it has completed an I/O request (or an error occurs). + */ struct nbd_reply { u32 magic; u32 error; /* 0 = ok, else error */ diff --git a/net/nbd-server/files/patch-nbd-server.c b/net/nbd-server/files/patch-nbd-server.c new file mode 100644 index 0000000..383f896 --- /dev/null +++ b/net/nbd-server/files/patch-nbd-server.c @@ -0,0 +1,26 @@ +diff -urN nbd-2.8.2.orig/nbd-server.c nbd-2.8.2/nbd-server.c +--- nbd-2.8.2.orig/nbd-server.c Wed Nov 9 22:38:44 2005 ++++ nbd-server.c Thu Dec 22 16:04:47 2005 +@@ -363,11 +363,11 @@ + * is severely wrong) + **/ + void sigchld_handler(int s) { +- int* status=NULL; ++ int status; + int* i; + pid_t pid; + +- while((pid=wait(status)) > 0) { ++ while ((pid = waitpid(-1, &status, WNOHANG)) > 0) { + if(WIFEXITED(status)) { + msg3(LOG_INFO, "Child exited with %d", WEXITSTATUS(status)); + } +@@ -684,7 +684,7 @@ + + if (request.magic != htonl(NBD_REQUEST_MAGIC)) + err("Not enough magic."); +- if (len > BUFSIZE) ++ if (len > (BUFSIZE-sizeof(struct nbd_reply))) + err("Request too big!"); + #ifdef DODBG + printf("%s from %Lu (%Lu) len %d, ", request.type ? "WRITE" : |