From 9c6f08774bda4bc80dc3134a0d97b985f92b0aa3 Mon Sep 17 00:00:00 2001
From: cperciva <cperciva@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Thu, 27 May 2010 03:15:04 +0000
Subject: [PATCH] Change the current working directory to be inside the jail
 created by the jail(8) command. [10:04]

Fix a one-NUL-byte buffer overflow in libopie. [10:05]

Correctly sanity-check a buffer length in nfs mount. [10:06]

Approved by:	so (cperciva)
Approved by:	re (kensmith)
Security:	FreeBSD-SA-10:04.jail
Security:	FreeBSD-SA-10:05.opie
Security:	FreeBSD-SA-10:06.nfsclient


git-svn-id: svn://svn.freebsd.org/base/releng/7.2@208586 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 UPDATING                       | 5 +++++
 contrib/opie/libopie/readrec.c | 4 +---
 lib/libc/sys/mount.2           | 9 ++++++++-
 sys/conf/newvers.sh            | 2 +-
 sys/nfsclient/nfs_vfsops.c     | 5 +++++
 5 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/UPDATING b/UPDATING
index f6e94bf8..66aba7d1 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,11 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20100526:	p8	FreeBSD-SA-10:05.opie, FreeBSD-SA-10:06.nfsclient
+	Fix a one-NUL-byte buffer overflow in libopie. [10:05]
+
+	Correctly sanity-check a buffer length in nfs mount. [10:06]
+
 20100227:	p7	FreeBSD-EN-10:02.sched_ule
 	Fix a deadlock in the ULE scheduler.
 
diff --git a/contrib/opie/libopie/readrec.c b/contrib/opie/libopie/readrec.c
index f56af7ff..4f204b92 100644
--- a/contrib/opie/libopie/readrec.c
+++ b/contrib/opie/libopie/readrec.c
@@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struct opie *opie)
     
     if (c = strchr(opie->opie_principal, ':'))
       *c = 0;
-    if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX)
-      (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0;
     
-    strcpy(principal, opie->opie_principal);
+    strlcpy(principal, opie->opie_principal, sizeof(principal));
     
     do {
       if ((opie->opie_recstart = ftell(f)) < 0)
diff --git a/lib/libc/sys/mount.2 b/lib/libc/sys/mount.2
index 6ce2d4d2..3d48f411 100644
--- a/lib/libc/sys/mount.2
+++ b/lib/libc/sys/mount.2
@@ -107,7 +107,7 @@ This restriction can be removed by setting the
 .Va vfs.usermount
 .Xr sysctl 8
 variable
-to a non-zero value.
+to a non-zero value; see the BUGS section for more information.
 .Pp
 The following
 .Fa flags
@@ -370,3 +370,10 @@ functions appeared in
 .At v6 .
 .Sh BUGS
 Some of the error codes need translation to more obvious messages.
+.Pp
+Allowing untrusted users to mount arbitrary media, e.g. by enabling
+.Va vfs.usermount ,
+should not be considered safe.
+Most file systems in
+.Fx
+were not built to safeguard against malicious devices.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 80aa476f..9278c5b0 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="7.2"
-BRANCH="RELEASE-p7"
+BRANCH="RELEASE-p8"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/sys/nfsclient/nfs_vfsops.c b/sys/nfsclient/nfs_vfsops.c
index a963083f..378c0250 100644
--- a/sys/nfsclient/nfs_vfsops.c
+++ b/sys/nfsclient/nfs_vfsops.c
@@ -1002,6 +1002,11 @@ nfs_mount(struct mount *mp, struct thread *td)
 		nfs_decode_args(mp, nmp, &args, NULL);
 		goto out;
 	}
+	if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) {
+		vfs_mount_error(mp, "Bad file handle");
+		error = EINVAL;
+		goto out;
+	}
 
 	/*
 	 * Make the nfs_ip_paranoia sysctl serve as the default connection
-- 
2.42.0