Commit 637f2b5e authored by Ed Blake's avatar Ed Blake Committed by Peter Korsgaard
Browse files

rpcbind: Backport fixes to memory leak security fix

Commit 954509fb added a security fix for CVE-2017

-8779, involving
pairing all svc_getargs() calls with svc_freeargs() to avoid a memory
leak.  However it also introduced a couple of issues:

- The call to svc_freeargs() from rpcbproc_callit_com() may result in
  an attempt to free static memory, resulting in undefined behaviour.

- A typo in the svc_freeargs() call from pmapproc_dump() causes NIS
  (aka ypbind) to fail.

Backport upstream fixes for these issues to version 0.2.3.
Signed-off-by: default avatarEd Blake <ed.blake@sondrel.com>
Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 5a9a95d0eb15c189f1361c12c105eb0ba8842c77)
Signed-off-by: default avatarPeter Korsgaard <peter@korsgaard.com>
parent 371d7e84
From 4e201b75928ff7d4894cd30ab0f5f67b9cd95f5c Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Thu, 18 Jan 2018 17:33:56 +0000
Subject: [PATCH] rpcbproc_callit_com: Stop freeing a static pointer
commit 7ea36ee introduced a svc_freeargs() call
that ended up freeing static pointer.
It turns out the allocations for the rmt_args
is not necessary . The xdr routines (xdr_bytes) will
handle the memory management and the largest
possible message size is UDPMSGSIZE (due to UDP only)
which is smaller than RPC_BUF_MAX
Signed-off-by: Steve Dickson <steved@redhat.com>
(cherry picked from commit 7c7590ad536c0e24bef790cb1e65702fc54db566)
Signed-off-by: Ed Blake <ed.blake@sondrel.com>
---
src/rpcb_svc_com.c | 39 ++++++---------------------------------
1 file changed, 6 insertions(+), 33 deletions(-)
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index 0432b6f..64f1104 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -616,9 +616,9 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
struct netconfig *nconf;
struct netbuf *caller;
struct r_rmtcall_args a;
- char *buf_alloc = NULL, *outbufp;
+ char *outbufp;
char *outbuf_alloc = NULL;
- char buf[RPC_BUF_MAX], outbuf[RPC_BUF_MAX];
+ char outbuf[RPC_BUF_MAX];
struct netbuf *na = (struct netbuf *) NULL;
struct rpc_msg call_msg;
int outlen;
@@ -639,36 +639,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
}
if (si.si_socktype != SOCK_DGRAM)
return; /* Only datagram type accepted */
- sendsz = __rpc_get_t_size(si.si_af, si.si_proto, UDPMSGSIZE);
- if (sendsz == 0) { /* data transfer not supported */
- if (reply_type == RPCBPROC_INDIRECT)
- svcerr_systemerr(transp);
- return;
- }
- /*
- * Should be multiple of 4 for XDR.
- */
- sendsz = ((sendsz + 3) / 4) * 4;
- if (sendsz > RPC_BUF_MAX) {
-#ifdef notyet
- buf_alloc = alloca(sendsz); /* not in IDR2? */
-#else
- buf_alloc = malloc(sendsz);
-#endif /* notyet */
- if (buf_alloc == NULL) {
- if (debugging)
- xlog(LOG_DEBUG,
- "rpcbproc_callit_com: No Memory!\n");
- if (reply_type == RPCBPROC_INDIRECT)
- svcerr_systemerr(transp);
- return;
- }
- a.rmt_args.args = buf_alloc;
- } else {
- a.rmt_args.args = buf;
- }
+ sendsz = UDPMSGSIZE;
call_msg.rm_xid = 0; /* For error checking purposes */
+ memset(&a, 0, sizeof(a)); /* Zero out the input buffer */
if (!svc_getargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
if (reply_type == RPCBPROC_INDIRECT)
svcerr_decode(transp);
@@ -708,7 +682,8 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
if (rbl == (rpcblist_ptr)NULL) {
#ifdef RPCBIND_DEBUG
if (debugging)
- xlog(LOG_DEBUG, "not found\n");
+ xlog(LOG_DEBUG, "prog %lu vers %lu: not found\n",
+ a.rmt_prog, a.rmt_vers);
#endif
if (reply_type == RPCBPROC_INDIRECT)
svcerr_noprog(transp);
@@ -941,8 +916,6 @@ out:
}
if (local_uaddr)
free(local_uaddr);
- if (buf_alloc)
- free(buf_alloc);
if (outbuf_alloc)
free(outbuf_alloc);
if (na) {
--
2.11.0
From d3f1f55e50e3c436a2ea91d60da84c3a94e6c53f Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Thu, 18 Jan 2018 17:41:49 +0000
Subject: [PATCH] pmapproc_dump: Fixed typo in memory leak patch
commit 7ea36eee introduce a typo that caused
NIS (aka ypbind) to fail.
Signed-off-by: Steve Dickson <steved@redhat.com>
(cherry picked from commit c49a7ea639eb700823e174fd605bbbe183e229aa)
Signed-off-by: Ed Blake <ed.blake@sondrel.com>
---
src/pmap_svc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pmap_svc.c b/src/pmap_svc.c
index bb57b05..ffca7df 100644
--- a/src/pmap_svc.c
+++ b/src/pmap_svc.c
@@ -384,7 +384,7 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
}
done:
- if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) {
+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_void, (char *)NULL)) {
if (debugging) {
(void) xlog(LOG_DEBUG, "unable to free arguments\n");
if (doabort) {
--
2.11.0
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment