Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
libtirpc.8258
0001-fix-remote-rpcbind-denial-of-service-vulne...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-fix-remote-rpcbind-denial-of-service-vulnerability.patch of Package libtirpc.8258
From d850358a75860752767656c864a8e1288cb8df69 Mon Sep 17 00:00:00 2001 From: Thomas Blume <Thomas.Blume@suse.com> Date: Fri, 5 May 2017 14:28:24 +0200 Subject: [PATCH] fix remote rpcbind denial-of-service vulnerability VUL-0: CVE-2017-8779: rpcbomb: remote rpcbind denial-of-service (bsc#1037559) --- src/rpc_generic.c | 8 ++++++++ src/rpcb_prot.c | 22 ++++++++++++++-------- src/rpcb_st_xdr.c | 9 +++++---- src/xdr.c | 30 +++++++++++++++++++++++++----- 4 files changed, 52 insertions(+), 17 deletions(-) diff --git a/src/rpc_generic.c b/src/rpc_generic.c index 2f09a8f..589cbd5 100644 --- a/src/rpc_generic.c +++ b/src/rpc_generic.c @@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf) switch (af) { case AF_INET: + if (nbuf->len < sizeof(*sin)) { + return NULL; + } sin = nbuf->buf; if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf) == NULL) @@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf) break; #ifdef INET6 case AF_INET6: + if (nbuf->len < sizeof(*sin6)) { + return NULL; + } sin6 = nbuf->buf; if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6) == NULL) @@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr) port = 0; sin = NULL; + if (uaddr == NULL) + return NULL; addrstr = strdup(uaddr); if (addrstr == NULL) return NULL; diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c index 43fd385..a923c8e 100644 --- a/src/rpcb_prot.c +++ b/src/rpcb_prot.c @@ -41,6 +41,7 @@ #include <rpc/types.h> #include <rpc/xdr.h> #include <rpc/rpcb_prot.h> +#include "rpc_com.h" bool_t xdr_rpcb(xdrs, objp) @@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp) if (!xdr_u_int32_t(xdrs, &objp->r_vers)) { return (FALSE); } - if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) { return (FALSE); } - if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) { return (FALSE); } - if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) { return (FALSE); } return (TRUE); @@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp) XDR *xdrs; rpcb_entry *objp; { - if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) { return (FALSE); } - if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) { return (FALSE); } if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) { return (FALSE); } - if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) { return (FALSE); } - if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) { return (FALSE); } return (TRUE); @@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p) bool_t dummy; struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p; - if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) { return (FALSE); } if (!xdr_u_int(xdrs, &objp->results.results_len)) { @@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp) if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) { return (FALSE); } + + if (objp->maxlen > RPC_MAXDATASIZE) { + return (FALSE); + } + dummy = xdr_bytes(xdrs, (char **)&(objp->buf), (u_int *)&(objp->len), objp->maxlen); return (dummy); diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c index 08db745..28e6a48 100644 --- a/src/rpcb_st_xdr.c +++ b/src/rpcb_st_xdr.c @@ -37,6 +37,7 @@ #include <rpc/rpc.h> +#include "rpc_com.h" /* Link list of all the stats about getport and getaddr */ @@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp) if (!xdr_int(xdrs, &objp->failure)) { return (FALSE); } - if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { return (FALSE); } @@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) IXDR_PUT_INT32(buf, objp->failure); IXDR_PUT_INT32(buf, objp->indirect); } - if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { return (FALSE); } if (!xdr_pointer(xdrs, (char **)&objp->next, @@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) objp->failure = (int)IXDR_GET_INT32(buf); objp->indirect = (int)IXDR_GET_INT32(buf); } - if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { return (FALSE); } if (!xdr_pointer(xdrs, (char **)&objp->next, @@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) if (!xdr_int(xdrs, &objp->indirect)) { return (FALSE); } - if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { + if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { return (FALSE); } if (!xdr_pointer(xdrs, (char **)&objp->next, diff --git a/src/xdr.c b/src/xdr.c index f3fb9ad..b9a1558 100644 --- a/src/xdr.c +++ b/src/xdr.c @@ -42,8 +42,10 @@ #include <stdlib.h> #include <string.h> +#include <rpc/rpc.h> #include <rpc/types.h> #include <rpc/xdr.h> +#include <rpc/rpc_com.h> typedef quad_t longlong_t; /* ANSI long long type */ typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */ @@ -53,7 +55,6 @@ typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */ */ #define XDR_FALSE ((long) 0) #define XDR_TRUE ((long) 1) -#define LASTUNSIGNED ((u_int) 0-1) /* * for unit alignment @@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) { char *sp = *cpp; /* sp is the actual string pointer */ u_int nodesize; + bool_t ret, allocated = FALSE; /* * first deal with the length since xdr bytes are counted @@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) } if (sp == NULL) { *cpp = sp = mem_alloc(nodesize); + allocated = TRUE; } if (sp == NULL) { warnx("xdr_bytes: out of memory"); @@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) /* FALLTHROUGH */ case XDR_ENCODE: - return (xdr_opaque(xdrs, sp, nodesize)); + ret = xdr_opaque(xdrs, sp, nodesize); + if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { + if (allocated == TRUE) { + free(sp); + *cpp = NULL; + } + } + return (ret); case XDR_FREE: if (sp != NULL) { @@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize) char *sp = *cpp; /* sp is the actual string pointer */ u_int size; u_int nodesize; + bool_t ret, allocated = FALSE; /* * first deal with the length since xdr strings are counted-strings @@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize) switch (xdrs->x_op) { case XDR_DECODE: - if (sp == NULL) + if (sp == NULL) { *cpp = sp = mem_alloc(nodesize); + allocated = TRUE; + } if (sp == NULL) { warnx("xdr_string: out of memory"); return (FALSE); @@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize) /* FALLTHROUGH */ case XDR_ENCODE: - return (xdr_opaque(xdrs, sp, size)); + ret = xdr_opaque(xdrs, sp, size); + if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { + if (allocated == TRUE) { + free(sp); + *cpp = NULL; + } + } + return (ret); case XDR_FREE: mem_free(sp, nodesize); @@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp) XDR *xdrs; char **cpp; { - return xdr_string(xdrs, cpp, LASTUNSIGNED); + return xdr_string(xdrs, cpp, RPC_MAXDATASIZE); } /* -- 2.12.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor