diff options
author | kib <kib@FreeBSD.org> | 2017-02-23 09:55:55 +0000 |
---|---|---|
committer | kib <kib@FreeBSD.org> | 2017-02-23 09:55:55 +0000 |
commit | ab9578f7175d93afabb4399b01039d613d26bdb8 (patch) | |
tree | 0f800ffde8c830fc0c9deb198f8ea4d7744f61f9 /sys/fs | |
parent | 4a247b155fb7ce59b08c4cf9b3f6e79de24c6493 (diff) | |
download | FreeBSD-src-ab9578f7175d93afabb4399b01039d613d26bdb8.zip FreeBSD-src-ab9578f7175d93afabb4399b01039d613d26bdb8.tar.gz |
MFC r313800:
Do not access memory past the buffer end.
Do not accept and silently truncate too long hostname.
Diffstat (limited to 'sys/fs')
-rw-r--r-- | sys/fs/nfsclient/nfs_clvfsops.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/fs/nfsclient/nfs_clvfsops.c b/sys/fs/nfsclient/nfs_clvfsops.c index 0e88dfb..3c18663 100644 --- a/sys/fs/nfsclient/nfs_clvfsops.c +++ b/sys/fs/nfsclient/nfs_clvfsops.c @@ -1270,8 +1270,13 @@ nfs_mount(struct mount *mp) error = EINVAL; goto out; } - bcopy(args.hostname, hst, MNAMELEN); - hst[MNAMELEN - 1] = '\0'; + if (len >= MNAMELEN) { + vfs_mount_error(mp, "Hostname too long"); + error = EINVAL; + goto out; + } + bcopy(args.hostname, hst, len); + hst[len] = '\0'; } if (vfs_getopt(mp->mnt_optnew, "principal", (void **)&name, NULL) == 0) |