From 29829555a8373b90f262117ce16e3938194cce73 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@redhat.com>
Date: Sat, 24 Oct 2009 08:31:11 -0400
Subject: [PATCH] mount.cifs: take extra care that mountpoint isn't changed during mount

It's possible to trick mount.cifs into mounting onto the wrong directory
by replacing the mountpoint with a symlink to a directory. mount.cifs
attempts to check the validity of the mountpoint, but there's still a
possible race between those checks and the mount(2) syscall.

To guard against this, chdir to the mountpoint very early, and only deal
with it as "." from then on out.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
---
 client/mount.cifs.c |   34 ++++++++++++++++++++++++++--------
 1 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/client/mount.cifs.c b/client/mount.cifs.c
index 3baaad7..fcddaa8 100644
--- a/client/mount.cifs.c
+++ b/client/mount.cifs.c
@@ -179,7 +179,7 @@ check_mountpoint(const char *progname, char *mountpoint)
 	struct stat statbuf;
 
 	/* does mountpoint exist and is it a directory? */
-	err = stat(mountpoint, &statbuf);
+	err = stat(".", &statbuf);
 	if (err) {
 		fprintf(stderr, "%s: failed to stat %s: %s\n", progname,
 				mountpoint, strerror(errno));
@@ -1378,6 +1378,14 @@ int main(int argc, char ** argv)
 	}
 
 	/* make sure mountpoint is legit */
+	rc = chdir(mountpoint);
+	if (rc) {
+		fprintf(stderr, "Couldn't chdir to %s: %s\n", mountpoint,
+				strerror(errno));
+		rc = EX_USAGE;
+		goto mount_exit;
+	}
+
 	rc = check_mountpoint(thisprogram, mountpoint);
 	if (rc)
 		goto mount_exit;
@@ -1440,13 +1448,23 @@ int main(int argc, char ** argv)
 	
 	/* BB save off path and pop after mount returns? */
 	resolved_path = (char *)malloc(PATH_MAX+1);
-	if(resolved_path) {
-		/* Note that if we can not canonicalize the name, we get
-		another chance to see if it is valid when we chdir to it */
-		if (realpath(mountpoint, resolved_path)) {
-			mountpoint = resolved_path; 
-		}
+	if (!resolved_path) {
+		fprintf(stderr, "Unable to allocate memory.\n");
+		rc = EX_SYSERR;
+		goto mount_exit;
 	}
+
+	/* Note that if we can not canonicalize the name, we get
+	   another chance to see if it is valid when we chdir to it */
+	if(!realpath(".", resolved_path)) {
+		fprintf(stderr, "Unable to resolve %s to canonical path: %s\n",
+				mountpoint, strerror(errno));
+		rc = EX_SYSERR;
+		goto mount_exit;
+	}
+
+	mountpoint = resolved_path; 
+
 	if(got_user == 0) {
 		/* Note that the password will not be retrieved from the
 		   USER env variable (ie user%password form) as there is
@@ -1590,7 +1608,7 @@ mount_retry:
 	if (verboseflag)
 		fprintf(stderr, "\n");
 
-	if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
+	if (!fakemnt && mount(dev_name, ".", "cifs", flags, options)) {
 		switch (errno) {
 		case ECONNREFUSED:
 		case EHOSTUNREACH:
-- 
1.6.0.6