139 lines
4.3 KiB
Diff
139 lines
4.3 KiB
Diff
commit de47f6323d8fb20feefee21d0195cf0529151e04
|
|
Author: Steve Dickson <steved@redhat.com>
|
|
Date: Thu Sep 17 15:57:35 2015 -0400
|
|
|
|
security.c: removed warning
|
|
|
|
src/security.c:100:8: warning: implicit declaration of function 'xlog'
|
|
[-Wimplicit-function-declaration]
|
|
|
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
diff --git a/src/security.c b/src/security.c
|
|
index 0c9453f..c54ce26 100644
|
|
--- a/src/security.c
|
|
+++ b/src/security.c
|
|
@@ -17,6 +17,8 @@
|
|
#include <syslog.h>
|
|
#include <netdb.h>
|
|
|
|
+#include "xlog.h"
|
|
+
|
|
/*
|
|
* XXX for special case checks in check_callit.
|
|
*/
|
|
|
|
commit d5dace219953c45d26ae42db238052b68540649a
|
|
Author: Olaf Kirch <okir@suse.de>
|
|
Date: Fri Oct 30 10:18:20 2015 -0400
|
|
|
|
Fix memory corruption in PMAP_CALLIT code
|
|
|
|
- A PMAP_CALLIT call comes in on IPv4 UDP
|
|
- rpcbind duplicates the caller's address to a netbuf and stores it in
|
|
FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
|
|
with a size of 16 bytes
|
|
- rpcbind forwards the call to the local service, receives a reply
|
|
- when processing the reply, it does this in xprt_set_caller:
|
|
xprt->xp_rtaddr = *FINFO[0].caller_addr
|
|
It sends out the reply, and then frees the netbuf caller_addr and
|
|
caller_addr.buf.
|
|
However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
|
|
to memory region A, which is free.
|
|
- When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
|
|
be called, which will set xp_rtaddr to the client's address.
|
|
It will reuse the buffer inside xp_rtaddr, ie it will write a
|
|
sockaddr_in to region A
|
|
|
|
Some time down the road, an incoming TCP connection is accepted,
|
|
allocating a fresh SVCXPRT. The memory region A is inside the
|
|
new SVCXPRT
|
|
|
|
- While processing the TCP call, another UDP call comes in, again
|
|
overwriting region A with the client's address
|
|
- TCP client closes connection. In svc_destroy, we now trip over
|
|
the garbage left in region A
|
|
|
|
We ran into the case where a commercial scanner was triggering
|
|
occasional rpcbind segfaults. The core file that was captured showed
|
|
a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
|
|
|
|
Signed-off-by: Olaf Kirch <okir@suse.de>
|
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
|
|
index ff9ce6b..4ae93f1 100644
|
|
--- a/src/rpcb_svc_com.c
|
|
+++ b/src/rpcb_svc_com.c
|
|
@@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds)
|
|
return (ncallbacks_found);
|
|
}
|
|
|
|
+/*
|
|
+ * This is really a helper function defined in libtirpc,
|
|
+ * but unfortunately, it hasn't been exported yet.
|
|
+ */
|
|
+static struct netbuf *
|
|
+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
|
|
+{
|
|
+ if (nb->len != len) {
|
|
+ if (nb->len)
|
|
+ mem_free(nb->buf, nb->len);
|
|
+ nb->buf = mem_alloc(len);
|
|
+ if (nb->buf == NULL)
|
|
+ return NULL;
|
|
+
|
|
+ nb->maxlen = nb->len = len;
|
|
+ }
|
|
+ memcpy(nb->buf, ptr, len);
|
|
+ return nb;
|
|
+}
|
|
+
|
|
static void
|
|
xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
|
|
{
|
|
+ const struct netbuf *caller = fi->caller_addr;
|
|
u_int32_t *xidp;
|
|
|
|
- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
|
|
+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
|
|
xidp = __rpcb_get_dg_xidp(xprt);
|
|
*xidp = fi->caller_xid;
|
|
}
|
|
|
|
commit 9194122389f2a56b1cd1f935e64307e2e963c2da
|
|
Author: Steve Dickson <steved@redhat.com>
|
|
Date: Mon Nov 2 17:05:18 2015 -0500
|
|
|
|
handle_reply: Don't use the xp_auth pointer directly
|
|
|
|
In the latest libtirpc version to access the xp_auth
|
|
one must use the SVC_XP_AUTH macro. To be backwards
|
|
compatible a couple ifdefs were added to use the
|
|
macro when it exists.
|
|
|
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
|
|
index 4ae93f1..22d6c84 100644
|
|
--- a/src/rpcb_svc_com.c
|
|
+++ b/src/rpcb_svc_com.c
|
|
@@ -1295,10 +1295,17 @@ handle_reply(int fd, SVCXPRT *xprt)
|
|
a.rmt_localvers = fi->versnum;
|
|
|
|
xprt_set_caller(xprt, fi);
|
|
+#if defined(SVC_XP_AUTH)
|
|
+ SVC_XP_AUTH(xprt) = svc_auth_none;
|
|
+#else
|
|
xprt->xp_auth = &svc_auth_none;
|
|
+#endif
|
|
svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a);
|
|
+#if !defined(SVC_XP_AUTH)
|
|
SVCAUTH_DESTROY(xprt->xp_auth);
|
|
xprt->xp_auth = NULL;
|
|
+#endif
|
|
+
|
|
done:
|
|
if (buffer)
|
|
free(buffer);
|