From a47739bf3b89432e112d1d2ed9bbdaf1e09d450a Mon Sep 17 00:00:00 2001
From: Neil Brown <neilb@suse.de>
Date: Tue, 17 May 2011 14:36:21 +1000
Subject: [PATCH] Remove risk of nfs_addmntent corrupting mtab

nfs_addmntent is used to append directly to /etc/mtab.
If the write partially fail, e.g. due to RLIMIT_FSIZE,
truncate back to original size and return an error.

See also https://bugzilla.redhat.com/show_bug.cgi?id=697975
 (CVE-2011-1749) CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE

Signed-off-by: NeilBrown <neilb@suse.de>
---
 support/nfs/nfs_mntent.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- nfs-utils-1.2.1.orig/support/nfs/nfs_mntent.c
+++ nfs-utils-1.2.1/support/nfs/nfs_mntent.c
@@ -12,6 +12,7 @@
 #include <string.h>		/* for index */
 #include <ctype.h>		/* for isdigit */
 #include <sys/stat.h>		/* for umask */
+#include <unistd.h>		/* for ftruncate */
 
 #include "nfs_mntent.h"
 #include "nls.h"
@@ -127,9 +128,11 @@ int
 nfs_addmntent (mntFILE *mfp, struct mntent *mnt) {
 	char *m1, *m2, *m3, *m4;
 	int res;
+	off_t length;
 
 	if (fseek (mfp->mntent_fp, 0, SEEK_END))
 		return 1;			/* failure */
+	length = ftell(mfp->mntent_fp);
 
 	m1 = mangle(mnt->mnt_fsname);
 	m2 = mangle(mnt->mnt_dir);
@@ -143,6 +146,12 @@ nfs_addmntent (mntFILE *mfp, struct mnte
 	free(m2);
 	free(m3);
 	free(m4);
+	if (res >= 0)
+		res = fflush(mfp->mntent_fp);
+	if (res < 0)
+		/* Avoid leaving a corrupt mtab file */
+		ftruncate(fileno(mfp->mntent_fp), length);
+
 	return (res < 0) ? 1 : 0;
 }