From a9cdec42bf587aad5bdd22a196a8f37c68270b23 Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Fri, 25 Sep 2009 07:05:00 -0400 Subject: [PATCH] mount.cifs: don't leak passwords with verbose option When running mount.cifs with the --verbose option, it'll print out the option string that it passes to the kernel...including the mount password if there is one. Print a placeholder string instead to help ensure that this info can't be used for nefarious purposes. Also, the --verbose option printed the option string before it was completely assembled anyway. This patch should also make sure that the complete option string is printed out. Finally, strndup passwords passed in on the command line to ensure that they aren't shown by --verbose as well. Passwords used this way can never be truly kept private from other users on the machine of course, but it's simple enough to do it this way for completeness sake. Reported-by: Ronald Volgers Signed-off-by: Jeff Layton Acked-by: Steve French Part 2/2 of a fix for CVE-2009-2948. (cherry picked from commit 1c2a816df9fd9e3a3839a679a72b3041b0217dc3) --- source/client/mount.cifs.c | 54 +++++++++++++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 20 deletions(-) diff --git a/source/client/mount.cifs.c b/source/client/mount.cifs.c index cee9188f9f9..a947dd1cf74 100644 --- a/source/client/mount.cifs.c +++ b/source/client/mount.cifs.c @@ -391,9 +391,6 @@ static int parse_options(char ** optionsp, int * filesys_flags) return 1; data = *optionsp; - if(verboseflag) - printf("parsing options: %s\n", data); - /* BB fixme check for separator override BB */ if (getuid()) { @@ -482,18 +479,27 @@ static int parse_options(char ** optionsp, int * filesys_flags) } else if (strncmp(data, "pass", 4) == 0) { if (!value || !*value) { if(got_password) { - printf("\npassword specified twice, ignoring second\n"); + fprintf(stderr, "\npassword specified twice, ignoring second\n"); } else got_password = 1; - } else if (strnlen(value, 17) < 17) { - if(got_password) - printf("\nmount.cifs warning - password specified twice\n"); - got_password = 1; + } else if (strnlen(value, MOUNT_PASSWD_SIZE) < MOUNT_PASSWD_SIZE) { + if (got_password) { + fprintf(stderr, "\nmount.cifs warning - password specified twice\n"); + } else { + mountpassword = strndup(value, MOUNT_PASSWD_SIZE); + if (!mountpassword) { + fprintf(stderr, "mount.cifs error: %s", strerror(ENOMEM)); + SAFE_FREE(out); + return 1; + } + got_password = 1; + } } else { - printf("password too long\n"); + fprintf(stderr, "password too long\n"); SAFE_FREE(out); return 1; } + goto nocopy; } else if (strncmp(data, "sec", 3) == 0) { if (value) { if (!strncmp(value, "none", 4) || @@ -1381,15 +1387,6 @@ mount_retry: strlcat(options,domain_name,options_size); } } - if(mountpassword) { - /* Commas have to be doubled, or else they will - look like the parameter separator */ -/* if(sep is not set)*/ - if(retry == 0) - check_for_comma(&mountpassword); - strlcat(options,",pass=",options_size); - strlcat(options,mountpassword,options_size); - } strlcat(options,",ver=",options_size); strlcat(options,MOUNT_CIFS_VERSION_MAJOR,options_size); @@ -1402,8 +1399,6 @@ mount_retry: strlcat(options,",prefixpath=",options_size); strlcat(options,prefixpath,options_size); /* no need to cat the / */ } - if(verboseflag) - printf("\nmount.cifs kernel mount options %s \n",options); /* convert all '\\' to '/' in share portion so that /proc/mounts looks pretty */ replace_char(dev_name, '\\', '/', strlen(share_name)); @@ -1435,6 +1430,25 @@ mount_retry: } } + if(verboseflag) + fprintf(stderr, "\nmount.cifs kernel mount options: %s", options); + + if (mountpassword) { + /* + * Commas have to be doubled, or else they will + * look like the parameter separator + */ + if(retry == 0) + check_for_comma(&mountpassword); + strlcat(options,",pass=",options_size); + strlcat(options,mountpassword,options_size); + if (verboseflag) + fprintf(stderr, ",pass=********"); + } + + if (verboseflag) + fprintf(stderr, "\n"); + if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) { switch (errno) { case ECONNREFUSED: -- 2.11.4.GIT