From 4e5b3c560593873c8c32279a8be77bb82c1adbf9 Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: May 29 2019 18:07:56 +0000
Subject: rpc.mountd: Fix e_hostname and e_uuid leaks (bz 1713360)


Signed-off-by: Steve Dickson <steved@redhat.com>

---

diff --git a/nfs-utils-2.3.4-mountd-segfault.patch b/nfs-utils-2.3.4-mountd-segfault.patch
new file mode 100644
index 0000000..cbc6bd9
--- /dev/null
+++ b/nfs-utils-2.3.4-mountd-segfault.patch
@@ -0,0 +1,83 @@
+commit ca668e35d16ca296dee1bd000de8eb8d20433a21
+Author: Chuck Lever <chuck.lever@oracle.com>
+Date:   Tue May 28 10:02:49 2019 -0400
+
+    rpc.mountd: Fix mountd segfault
+    
+    After commit 8f459a072f93 ("Remove abuse of ai_canonname") the
+    ai_canonname field in addrinfo structs returned from
+    host_reliable_addrinfo() is always NULL. This results in mountd
+    segfaults when there are netgroups or hostname wildcards in
+    /etc/exports.
+    
+    Add an extra DNS query in check_wildcard() and check_netgroup() to
+    obtain the client's canonical hostname instead of dereferencing
+    the NULL pointer.
+    
+    Reported-by: Mark Wagner <mark@lanfear.net>
+    Fixes: 8f459a072f93 ("Remove abuse of ai_canonname")
+    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/support/export/client.c b/support/export/client.c
+index a1fba01..ea4f89d 100644
+--- a/support/export/client.c
++++ b/support/export/client.c
+@@ -608,24 +608,36 @@ check_subnetwork(const nfs_client *clp, const struct addrinfo *ai)
+ static int
+ check_wildcard(const nfs_client *clp, const struct addrinfo *ai)
+ {
+-	char *cname = clp->m_hostname;
+-	char *hname = ai->ai_canonname;
++	char *hname, *cname = clp->m_hostname;
+ 	struct hostent *hp;
+ 	char **ap;
++	int match;
+ 
+-	if (wildmat(hname, cname))
+-		return 1;
++	match = 0;
++
++	hname = host_canonname(ai->ai_addr);
++	if (hname == NULL)
++		goto out;
++
++	if (wildmat(hname, cname)) {
++		match = 1;
++		goto out;
++	}
+ 
+ 	/* See if hname aliases listed in /etc/hosts or nis[+]
+ 	 * match the requested wildcard */
+ 	hp = gethostbyname(hname);
+ 	if (hp != NULL) {
+ 		for (ap = hp->h_aliases; *ap; ap++)
+-			if (wildmat(*ap, cname))
+-				return 1;
++			if (wildmat(*ap, cname)) {
++				match = 1;
++				goto out;
++			}
+ 	}
+ 
+-	return 0;
++out:
++	free(hname);
++	return match;
+ }
+ 
+ /*
+@@ -645,11 +657,9 @@ check_netgroup(const nfs_client *clp, const struct addrinfo *ai)
+ 
+ 	match = 0;
+ 
+-	hname = strdup(ai->ai_canonname);
+-	if (hname == NULL) {
+-		xlog(D_GENERAL, "%s: no memory for strdup", __func__);
++	hname = host_canonname(ai->ai_addr);
++	if (hname == NULL)
+ 		goto out;
+-	}
+ 
+ 	/* First, try to match the hostname without
+ 	 * splitting off the domain */
diff --git a/nfs-utils.spec b/nfs-utils.spec
index 30535ac..6b80d51 100644
--- a/nfs-utils.spec
+++ b/nfs-utils.spec
@@ -18,6 +18,7 @@ Source5: 24-nfs-server.conf
 Patch001: nfs-utils.2.3.4-rc2.patch
 Patch002: nfs-utils-2.3.4-mount-fallback.patch
 Patch003: nfs-utils-2.3.4-mountd-memleak.patch
+Patch004: nfs-utils-2.3.4-mountd-segfault.patch
 
 Patch100: nfs-utils-1.2.1-statdpath-man.patch
 Patch101: nfs-utils-1.2.1-exp-subtree-warn-off.patch
@@ -311,6 +312,9 @@ fi
 %{_libdir}/libnfsidmap.so
 
 %changelog
+* Wed May 29 2019 Steve Dickson <steved@redhat.com> 2.3.3-3.rc2
+- rpc.mountd: Fix e_hostname and e_uuid leaks (bz 1713360)
+
 * Thu May 23 2019 Steve Dickson <steved@redhat.com> 2.3.3-2.rc2
 - mount: Report correct error in the fall_back cases (bz 1709961)
 - rpc.mountd: Fix e_hostname and e_uuid leaks (bz 1713360)