commit de47f6323d8fb20feefee21d0195cf0529151e04 Author: Steve Dickson Date: Thu Sep 17 15:57:35 2015 -0400 security.c: removed warning src/security.c:100:8: warning: implicit declaration of function 'xlog' [-Wimplicit-function-declaration] Signed-off-by: Steve Dickson diff --git a/src/security.c b/src/security.c index 0c9453f..c54ce26 100644 --- a/src/security.c +++ b/src/security.c @@ -17,6 +17,8 @@ #include #include +#include "xlog.h" + /* * XXX for special case checks in check_callit. */ commit d5dace219953c45d26ae42db238052b68540649a Author: Olaf Kirch Date: Fri Oct 30 10:18:20 2015 -0400 Fix memory corruption in PMAP_CALLIT code - A PMAP_CALLIT call comes in on IPv4 UDP - rpcbind duplicates the caller's address to a netbuf and stores it in FINFO[0].caller_addr. caller_addr->buf now points to a memory region A with a size of 16 bytes - rpcbind forwards the call to the local service, receives a reply - when processing the reply, it does this in xprt_set_caller: xprt->xp_rtaddr = *FINFO[0].caller_addr It sends out the reply, and then frees the netbuf caller_addr and caller_addr.buf. However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers to memory region A, which is free. - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will be called, which will set xp_rtaddr to the client's address. It will reuse the buffer inside xp_rtaddr, ie it will write a sockaddr_in to region A Some time down the road, an incoming TCP connection is accepted, allocating a fresh SVCXPRT. The memory region A is inside the new SVCXPRT - While processing the TCP call, another UDP call comes in, again overwriting region A with the client's address - TCP client closes connection. In svc_destroy, we now trip over the garbage left in region A We ran into the case where a commercial scanner was triggering occasional rpcbind segfaults. The core file that was captured showed a corrupted xprt->xp_netid pointer that was really a sockaddr_in. Signed-off-by: Olaf Kirch Signed-off-by: Steve Dickson diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c index ff9ce6b..4ae93f1 100644 --- a/src/rpcb_svc_com.c +++ b/src/rpcb_svc_com.c @@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds) return (ncallbacks_found); } +/* + * This is really a helper function defined in libtirpc, + * but unfortunately, it hasn't been exported yet. + */ +static struct netbuf * +__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len) +{ + if (nb->len != len) { + if (nb->len) + mem_free(nb->buf, nb->len); + nb->buf = mem_alloc(len); + if (nb->buf == NULL) + return NULL; + + nb->maxlen = nb->len = len; + } + memcpy(nb->buf, ptr, len); + return nb; +} + static void xprt_set_caller(SVCXPRT *xprt, struct finfo *fi) { + const struct netbuf *caller = fi->caller_addr; u_int32_t *xidp; - *(svc_getrpccaller(xprt)) = *(fi->caller_addr); + __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len); xidp = __rpcb_get_dg_xidp(xprt); *xidp = fi->caller_xid; } commit 9194122389f2a56b1cd1f935e64307e2e963c2da Author: Steve Dickson Date: Mon Nov 2 17:05:18 2015 -0500 handle_reply: Don't use the xp_auth pointer directly In the latest libtirpc version to access the xp_auth one must use the SVC_XP_AUTH macro. To be backwards compatible a couple ifdefs were added to use the macro when it exists. Signed-off-by: Steve Dickson diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c index 4ae93f1..22d6c84 100644 --- a/src/rpcb_svc_com.c +++ b/src/rpcb_svc_com.c @@ -1295,10 +1295,17 @@ handle_reply(int fd, SVCXPRT *xprt) a.rmt_localvers = fi->versnum; xprt_set_caller(xprt, fi); +#if defined(SVC_XP_AUTH) + SVC_XP_AUTH(xprt) = svc_auth_none; +#else xprt->xp_auth = &svc_auth_none; +#endif svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a); +#if !defined(SVC_XP_AUTH) SVCAUTH_DESTROY(xprt->xp_auth); xprt->xp_auth = NULL; +#endif + done: if (buffer) free(buffer);