XNFS Abend in rpcWorkerThread if nfs mount is attempted with long path

If an NFS client attempts a mount command against a NetWare 6.5 NFS server, and the path component of the command exceeds 508 characters, the XNFS.NLM on the NetWare server will abend, in an rpcWorkerThread.  This can happen anytime XNFS.NLM is loaded, even if there is not any path currently exported.

 

This makes the NetWare server vulnerable to denial-of-service attack, anytime XNFS.NLM is loaded.

 

This vulnerability is not necessarily limited to NetWare 6.5 SP6.  Older support packs are likely vulnerable as well.

The buffer for handling the mount path has been expanded to 1024 bytes, and a check has been added to watch for anything which exceeds that.  The fix is available for use in NetWare 6.5 SP7.

 

It is also available as an individual download (xnfs6a.zip) for NetWare 6.5 SP6 at:

 

If for some reason that link doesn't work, try https://download.novell.com/patch/finder.  Select Product "NetWare" and then do a keyword search on the download name, xnfs6a.zip.

 

This vulnerability has been assigned the identifier CVE-2007-3207 in the CVE database.