[packages/nfs-utils.git] / nfs-utils-usn36.patch

From Ubuntu's changelog:
  * utils/statd/statd.c (patch from SGI):
   - drop_privs(): fix uninitialized st.st_gid value when running as root
     (not exploitable, but using random group ids might be confusing)
  * utils/rquotad/rquota_server.c (Arjan van de Ven):
    - getquotainfo(): do not use memcpy() to copy
      values from struct dqblk to struct rquota; on 64 bit architectures time_t
      is 64 bits wide, but the target fields are only 32 bit, thus causing a
      buffer overflow
    - CAN-2004-0946

--- nfs-utils-1.0.6.orig/utils/statd/statd.c
+++ nfs-utils-1.0.6/utils/statd/statd.c
@@ -179,8 +179,10 @@
 	struct stat st;
 
 	if (stat(SM_DIR, &st) == -1 &&
-	    stat(DIR_BASE, &st) == -1)
+	    stat(DIR_BASE, &st) == -1) {
 		st.st_uid = 0;
+		st.st_gid = 0;
+	}
 
 	if (st.st_uid == 0) {
 		note(N_WARNING, "statd running as root. chown %s to choose different user\n",
--- nfs-utils-1.0.6.orig/utils/rquotad/rquota_server.c
+++ nfs-utils-1.0.6/utils/rquotad/rquota_server.c
@@ -76,6 +76,7 @@
    char *pathname, *qfpathname;
    int fd, err, id, type;
    struct stat stm, stn;
+   struct rquota *rquota;
 
    /*
     * First check authentication.
@@ -168,8 +169,16 @@
           * Make a copy of the info into the last part of the remote quota
           * struct which is exactly the same.
           */
-         memcpy((caddr_t *)&result.getquota_rslt_u.gqr_rquota.rq_bhardlimit,
-                (caddr_t *)&dq_dqb, sizeof(struct dqblk));
+
+         rquota = &result.getquota_rslt_u.gqr_rquota;
+         rquota->rq_bhardlimit = dq_dqb.dqb_bhardlimit;
+         rquota->rq_bsoftlimit = dq_dqb.dqb_bsoftlimit;;
+         rquota->rq_curblocks = dq_dqb.dqb_curblocks;
+         rquota->rq_fhardlimit = dq_dqb.dqb_ihardlimit;
+         rquota->rq_fsoftlimit = dq_dqb.dqb_isoftlimit;
+         rquota->rq_curfiles = dq_dqb.dqb_curinodes;
+         rquota->rq_btimeleft = dq_dqb.dqb_btime;
+         rquota->rq_ftimeleft = dq_dqb.dqb_itime;
 
          return(&result);
       }
Commit	Line	Data
da19a804 JB	1	From Ubuntu's changelog:
	2	* utils/statd/statd.c (patch from SGI):
	3	- drop_privs(): fix uninitialized st.st_gid value when running as root
	4	(not exploitable, but using random group ids might be confusing)
	5	* utils/rquotad/rquota_server.c (Arjan van de Ven):
	6	- getquotainfo(): do not use memcpy() to copy
	7	values from struct dqblk to struct rquota; on 64 bit architectures time_t
	8	is 64 bits wide, but the target fields are only 32 bit, thus causing a
	9	buffer overflow
	10	- CAN-2004-0946
	11
6183e994 AG	12	--- nfs-utils-1.0.6.orig/utils/statd/statd.c
	13	+++ nfs-utils-1.0.6/utils/statd/statd.c
	14	@@ -179,8 +179,10 @@
	15	struct stat st;
	16
	17	if (stat(SM_DIR, &st) == -1 &&
	18	- stat(DIR_BASE, &st) == -1)
	19	+ stat(DIR_BASE, &st) == -1) {
	20	st.st_uid = 0;
	21	+ st.st_gid = 0;
	22	+ }
	23
	24	if (st.st_uid == 0) {
	25	note(N_WARNING, "statd running as root. chown %s to choose different user\n",
6183e994 AG	26	--- nfs-utils-1.0.6.orig/utils/rquotad/rquota_server.c
	27	+++ nfs-utils-1.0.6/utils/rquotad/rquota_server.c
	28	@@ -76,6 +76,7 @@
	29	char pathname, qfpathname;
	30	int fd, err, id, type;
	31	struct stat stm, stn;
	32	+ struct rquota *rquota;
	33
	34	/*
	35	* First check authentication.
	36	@@ -168,8 +169,16 @@
	37	* Make a copy of the info into the last part of the remote quota
	38	* struct which is exactly the same.
	39	*/
	40	- memcpy((caddr_t *)&result.getquota_rslt_u.gqr_rquota.rq_bhardlimit,
	41	- (caddr_t *)&dq_dqb, sizeof(struct dqblk));
	42	+
	43	+ rquota = &result.getquota_rslt_u.gqr_rquota;
	44	+ rquota->rq_bhardlimit = dq_dqb.dqb_bhardlimit;
	45	+ rquota->rq_bsoftlimit = dq_dqb.dqb_bsoftlimit;;
	46	+ rquota->rq_curblocks = dq_dqb.dqb_curblocks;
	47	+ rquota->rq_fhardlimit = dq_dqb.dqb_ihardlimit;
	48	+ rquota->rq_fsoftlimit = dq_dqb.dqb_isoftlimit;
	49	+ rquota->rq_curfiles = dq_dqb.dqb_curinodes;
	50	+ rquota->rq_btimeleft = dq_dqb.dqb_btime;
	51	+ rquota->rq_ftimeleft = dq_dqb.dqb_itime;
	52
	53	return(&result);
	54	}