1 commit de47f6323d8fb20feefee21d0195cf0529151e04
2 Author: Steve Dickson <steved@redhat.com>
3 Date: Thu Sep 17 15:57:35 2015 -0400
4
5 security.c: removed warning
6
7 src/security.c:100:8: warning: implicit declaration of function 'xlog'
8 [-Wimplicit-function-declaration]
9
10 Signed-off-by: Steve Dickson <steved@redhat.com>
11
12 diff --git a/src/security.c b/src/security.c
13 index 0c9453f..c54ce26 100644
14 --- a/src/security.c
15 +++ b/src/security.c
16 @@ -17,6 +17,8 @@
17 #include <syslog.h>
18 #include <netdb.h>
19
20 +#include "xlog.h"
21 +
22 /*
23 * XXX for special case checks in check_callit.
24 */
25
26 commit d5dace219953c45d26ae42db238052b68540649a
27 Author: Olaf Kirch <okir@suse.de>
28 Date: Fri Oct 30 10:18:20 2015 -0400
29
30 Fix memory corruption in PMAP_CALLIT code
31
32 - A PMAP_CALLIT call comes in on IPv4 UDP
33 - rpcbind duplicates the caller's address to a netbuf and stores it in
34 FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
35 with a size of 16 bytes
36 - rpcbind forwards the call to the local service, receives a reply
37 - when processing the reply, it does this in xprt_set_caller:
38 xprt->xp_rtaddr = *FINFO[0].caller_addr
39 It sends out the reply, and then frees the netbuf caller_addr and
40 caller_addr.buf.
41 However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
42 to memory region A, which is free.
43 - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
44 be called, which will set xp_rtaddr to the client's address.
45 It will reuse the buffer inside xp_rtaddr, ie it will write a
46 sockaddr_in to region A
47
48 Some time down the road, an incoming TCP connection is accepted,
49 allocating a fresh SVCXPRT. The memory region A is inside the
50 new SVCXPRT
51
52 - While processing the TCP call, another UDP call comes in, again
53 overwriting region A with the client's address
54 - TCP client closes connection. In svc_destroy, we now trip over
55 the garbage left in region A
56
57 We ran into the case where a commercial scanner was triggering
58 occasional rpcbind segfaults. The core file that was captured showed
59 a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
60
61 Signed-off-by: Olaf Kirch <okir@suse.de>
62 Signed-off-by: Steve Dickson <steved@redhat.com>
63
64 diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
65 index ff9ce6b..4ae93f1 100644
66 --- a/src/rpcb_svc_com.c
67 +++ b/src/rpcb_svc_com.c
68 @@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds)
69 return (ncallbacks_found);
70 }
71
72 +/*
73 + * This is really a helper function defined in libtirpc,
74 + * but unfortunately, it hasn't been exported yet.
75 + */
76 +static struct netbuf *
77 +__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
78 +{
79 + if (nb->len != len) {
80 + if (nb->len)
81 + mem_free(nb->buf, nb->len);
82 + nb->buf = mem_alloc(len);
83 + if (nb->buf == NULL)
84 + return NULL;
85 +
86 + nb->maxlen = nb->len = len;
87 + }
88 + memcpy(nb->buf, ptr, len);
89 + return nb;
90 +}
91 +
92 static void
93 xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
94 {
95 + const struct netbuf *caller = fi->caller_addr;
96 u_int32_t *xidp;
97
98 - *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
99 + __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
100 xidp = __rpcb_get_dg_xidp(xprt);
101 *xidp = fi->caller_xid;
102 }
103
104 commit 9194122389f2a56b1cd1f935e64307e2e963c2da
105 Author: Steve Dickson <steved@redhat.com>
106 Date: Mon Nov 2 17:05:18 2015 -0500
107
108 handle_reply: Don't use the xp_auth pointer directly
109
110 In the latest libtirpc version to access the xp_auth
111 one must use the SVC_XP_AUTH macro. To be backwards
112 compatible a couple ifdefs were added to use the
113 macro when it exists.
114
115 Signed-off-by: Steve Dickson <steved@redhat.com>
116
117 diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
118 index 4ae93f1..22d6c84 100644
119 --- a/src/rpcb_svc_com.c
120 +++ b/src/rpcb_svc_com.c
121 @@ -1295,10 +1295,17 @@ handle_reply(int fd, SVCXPRT *xprt)
122 a.rmt_localvers = fi->versnum;
123
124 xprt_set_caller(xprt, fi);
125 +#if defined(SVC_XP_AUTH)
126 + SVC_XP_AUTH(xprt) = svc_auth_none;
127 +#else
128 xprt->xp_auth = &svc_auth_none;
129 +#endif
130 svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a);
131 +#if !defined(SVC_XP_AUTH)
132 SVCAUTH_DESTROY(xprt->xp_auth);
133 xprt->xp_auth = NULL;
134 +#endif
135 +
136 done:
137 if (buffer)
138 free(buffer);
|