Bugtraq mailing list archives

Re: rpc.mountd vulnerabilities

From: okir () MONAD SWB DE (Olaf Kirch)
Date: Wed, 30 Sep 1998 12:00:44 +0200


-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 29 Sep 1998 10:57:02 BST, tiago wrote:

  I will send the diffs of a patch in one or two days.
  I did not contact the maintainer of the distribution. Anyone would
please do so?


Why? If you had had a look at the file called BUGS you would have found
instructions about where to submit bug reports: unfsd () monad swb de.
What more can a maintainer of a package do than use file names that
scream at you?

A patch against 2.2beta29 (which most people seem to be using at the
moment) is included. The latest tarball is available from
ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir/

afe0f88c48add25f304a387ae4fb40ba  nfs-server-2.2beta37.tar.gz


Olaf
- --
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBNhIQgOFnVHXv40etAQEUhAP+KvwZ0fH2q1T+ygBzREyy80JAfwo74ZT2
/9gx0q2OfKeY+jZuSgBfdlSz3Mz3+9iY8QRaDBDIoybZD8BpKQ76jok451rWlnVX
nXJU7K7NYcgCmLmGn7EoH5kv2C5EojXkzLd3F45k+ceJP/rxdQntheb6tOGpTa1V
gD7BUlSwHiQ=
=ZhRc
-----END PGP SIGNATURE-----
------------------------------------------------------------------
diff -ur nfs-server-2.2beta29.orig/mount_dispatch.c nfs-server-2.2beta29/mount_dispatch.c
--- nfs-server-2.2beta29.orig/mount_dispatch.c  Wed Feb  5 17:07:28 1997
+++ nfs-server-2.2beta29/mount_dispatch.c       Wed Sep 30 12:04:52 1998
@@ -25,6 +25,8 @@
  */
 #define        MAXVERS         2

+#define NRENTRIES(x)   (sizeof(x) / sizeof((x)[0]))
+
 /*
  * This is a dispatch table to simplify error checking,
  * and supply return attributes for NFS functions.
@@ -95,8 +97,8 @@
 };

 static unsigned int            dtnrprocs[MAXVERS] = {
-       sizeof(mount_1_table),
-       sizeof(mount_2_table),
+       NRENTRIES(mount_1_table),
+       NRENTRIES(mount_2_table),
 };

 /*
@@ -114,12 +116,15 @@
        vers_index = rqstp->rq_vers - 1;
        _rpcsvcdirty = 1;

-       dtbl = dtable[vers_index];
-
+       if (vers_index >= MAXVERS) {
+               svcerr_progvers(transp, 1, MAXVERS);
+               goto done;
+       }
        if (proc_index >= dtnrprocs[vers_index]) {
                svcerr_noproc(transp);
                goto done;
        }
+       dtbl = dtable[vers_index];
        dent = &dtbl[proc_index];

        memset(&argument, 0, dent->arg_size);
------------------------------------------------------------------

Current thread:

mountd- more info (sorry), (continued)
- - - mountd- more info (sorry) John Caldwell (Sep 28)
    - Bay Accelar 1000 series Steven Hearon (Sep 28)
    - Re: mountd- more info (sorry) RHS Linux User (Sep 29)
    - rpc.mountd vulnerabilities tiago (Sep 29)
    - Re: rpc.mountd vulnerabilities morex .- (Sep 29)
    - Snork exploit route () RESENTMENT INFONEXUS COM (Sep 29)
    - Re: rpc.mountd vulnerabilities Alan Brown (Sep 29)
    - IRIX Mail(1)/mailx(1) Security Issues SGI Security Coordinator (Sep 29)
    - IRIX On-Line Customer Registration Vulnerabilities SGI Security Coordinator (Sep 29)
    - IRIX mail(1)/rmail(1M)/sendmail(1M) Security Vulnerabilities SGI Security Coordinator (Sep 29)
    - Re: rpc.mountd vulnerabilities Olaf Kirch (Sep 30)
    - ISS Security Advisory: Snork X-Force (Sep 29)
    - Re: mountd- more info (sorry) John Caldwell (Sep 29)
    - Re: mountd- more info (sorry) Anthony C. Zboralski (Sep 30)
    - more rpc.mountd jason valentine (Sep 30)
    - Netscape Cache Exploit - source code Ken Williams (Sep 29)
    - Re: IRIX 6.2 passwordless accounts exploit? Kevin Hawkins (Sep 30)
    - Sun Security Bulletin #00176 joshua grubman (Sep 30)
    - Re: IRIX 6.2 passwordless accounts exploit? morex .- (Sep 28)
    - mountd remote exploit? John Caldwell (Sep 28)
    - Re: mountd remote exploit? morex .- (Sep 28)

(Thread continues...)