From 175058b2d14f3b2427bfd5337c6723835ed23736 Mon Sep 17 00:00:00 2001
From: guido <guido@FreeBSD.org>
Date: Fri, 29 Aug 1997 19:22:28 +0000
Subject: Plug info agthering attack as pointed out on Bugtraq recently.
 Obtained from: OpenBSD

---
 usr.sbin/mountd/mountd.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

(limited to 'usr.sbin')

diff --git a/usr.sbin/mountd/mountd.c b/usr.sbin/mountd/mountd.c
index 7dadb1f..38ead40 100644
--- a/usr.sbin/mountd/mountd.c
+++ b/usr.sbin/mountd/mountd.c
@@ -43,7 +43,7 @@ static char copyright[] =
 #ifndef lint
 /*static char sccsid[] = "@(#)mountd.c	8.15 (Berkeley) 5/1/95"; */
 static const char rcsid[] =
-	"$Id: mountd.c,v 1.21 1997/04/30 18:40:12 pst Exp $";
+	"$Id: mountd.c,v 1.22 1997/07/16 09:27:53 dfr Exp $";
 #endif /*not lint*/
 
 #include <sys/param.h>
@@ -374,7 +374,7 @@ mntsrv(rqstp, transp)
 	u_long saddr;
 	u_short sport;
 	char rpcpath[RPCMNT_PATHLEN + 1], dirpath[MAXPATHLEN];
-	int bad = ENOENT, defset, hostset;
+	int bad = 0, defset, hostset;
 	sigset_t sighup_mask;
 
 	sigemptyset(&sighup_mask);
@@ -410,9 +410,7 @@ mntsrv(rqstp, transp)
 			chdir("/");	/* Just in case realpath doesn't */
 			if (debug)
 				fprintf(stderr, "stat failed on %s\n", dirpath);
-			if (!svc_sendreply(transp, xdr_long, (caddr_t)&bad))
-				syslog(LOG_ERR, "Can't send reply");
-			return;
+			bad = ENOENT;	/* We will send error reply later */
 		}
 
 		/* Check in the exports list */
@@ -424,6 +422,13 @@ mntsrv(rqstp, transp)
 		     chk_host(dp, saddr, &defset, &hostset)) ||
 		     (defset && scan_tree(ep->ex_defdir, saddr) == 0 &&
 		      scan_tree(ep->ex_dirl, saddr) == 0))) {
+			if (bad) {
+				if (!svc_sendreply(transp, xdr_long,
+				    (caddr_t)&bad))
+					syslog(LOG_ERR, "Can't send reply");
+				sigprocmask(SIG_UNBLOCK, &sighup_mask, NULL);
+				return;
+			}
 			if (hostset & DP_HOSTSET)
 				fhr.fhr_flag = hostset;
 			else
@@ -452,11 +457,11 @@ mntsrv(rqstp, transp)
 					dirpath);
 			if (debug)
 				fprintf(stderr,"Mount successfull.\n");
-		} else {
+		} else
 			bad = EACCES;
-			if (!svc_sendreply(transp, xdr_long, (caddr_t)&bad))
-				syslog(LOG_ERR, "Can't send reply");
-		}
+
+		if (bad && !svc_sendreply(transp, xdr_long, (caddr_t)&bad))
+			syslog(LOG_ERR, "Can't send reply");
 		sigprocmask(SIG_UNBLOCK, &sighup_mask, NULL);
 		return;
 	case RPCMNT_DUMP:
-- 
cgit v1.1