Accepting request 360882 from home:kukuk:branches:network

- Add 0006-don-t-use-svc_fdset.patch: don't use the svc_fdset 
  interface for libtirpc, which is limited to 1024 connections.

- Sync with current git:
  - Replace 0002-revert-auth.patch with 
    0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
  - Add 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
    to fix problems with activation via sockets by systemd
  - Replace 0032-CVE-2015-7236.patch with 
    0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
  - Add 0005-security.c-removed-warning.patch to fix compiler warnings
- Temporary remove 099-poll.patch

- Disable 0030-systemd-fix-rmtcall.patch, needs the other disabled
  patches. 
- Submit for SLE12SP2 [FATE#320393]

- Add patch 0032-CVE-2015-7236.patch to fix a segfault on certain
  remote scans [CVE-2015-7236, bsc#940191, bsc#946204]

- Document how to restrict addresses that rpcbind will listen on
  [bsc#935102]
  Added 0031-rpcbind-manpage.patch

- Add patch 0030-systemd-fix-rmtcall.patch to fix rmtcall
  forwarding (bnc#932423)

OBS-URL: https://build.opensuse.org/request/show/360882
OBS-URL: https://build.opensuse.org/package/show/network/rpcbind?expand=0&rev=58
This commit is contained in:
Dirk Mueller 2016-02-22 15:04:42 +00:00 committed by Git OBS Bridge
parent 387fd3baf9
commit 1abcad9219
10 changed files with 379 additions and 47 deletions

View File

@ -0,0 +1,40 @@
From 9194122389f2a56b1cd1f935e64307e2e963c2da Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Mon, 2 Nov 2015 17:05:18 -0500
Subject: [PATCH 3/4] handle_reply: Don't use the xp_auth pointer directly
In the latest libtirpc version to access the xp_auth
one must use the SVC_XP_AUTH macro. To be backwards
compatible a couple ifdefs were added to use the
macro when it exists.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/rpcb_svc_com.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index 4ae93f1..22d6c84 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -1295,10 +1295,17 @@ handle_reply(int fd, SVCXPRT *xprt)
a.rmt_localvers = fi->versnum;
xprt_set_caller(xprt, fi);
+#if defined(SVC_XP_AUTH)
+ SVC_XP_AUTH(xprt) = svc_auth_none;
+#else
xprt->xp_auth = &svc_auth_none;
+#endif
svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a);
+#if !defined(SVC_XP_AUTH)
SVCAUTH_DESTROY(xprt->xp_auth);
xprt->xp_auth = NULL;
+#endif
+
done:
if (buffer)
free(buffer);
--
1.8.5.6

View File

@ -1,35 +0,0 @@
commit 86036582c001e99075f4d74cb3829df39f2a9ddf
Author: Frank Hirtz <fhirtz@redhat.com>
Date: Tue Oct 23 11:38:20 2012 -0400
rpcbind is "swallowing" broadcast RPC replies
If xp_auth is NULL, the transport routines will not send
the reply. This patch fixes that problem.
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index 5bb9a44..f6bd6bd 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -1227,6 +1227,8 @@ send_svcsyserr(SVCXPRT *xprt, struct finfo *fi)
return;
}
+extern SVCAUTH svc_auth_none;
+
static void
handle_reply(int fd, SVCXPRT *xprt)
{
@@ -1293,7 +1295,10 @@ handle_reply(int fd, SVCXPRT *xprt)
a.rmt_localvers = fi->versnum;
xprt_set_caller(xprt, fi);
+ xprt->xp_auth = &svc_auth_none;
svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a);
+ SVCAUTH_DESTROY(xprt->xp_auth);
+ xprt->xp_auth = NULL;
done:
if (buffer)
free(buffer);

View File

@ -0,0 +1,51 @@
From 3a664b1b5a310df39bd0f325b0edb1deb31c2249 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Wed, 18 Nov 2015 14:34:26 -0500
Subject: [PATCH] Delete the unix socket only if we have created it
From: Laurent Bigonville <bigon@bigon.be>
If systemd has created the unix socket on our behalf, we shouldn't try
to delete it.
https://bugzilla.redhat.com/show_bug.cgi?id=1279076
Signed-off-by: Laurent Bigonville <bigon@bigon.be
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/rpcbind.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/rpcbind.c b/src/rpcbind.c
index 045daa1..c4265cd 100644
--- a/src/rpcbind.c
+++ b/src/rpcbind.c
@@ -87,6 +87,7 @@ static inline void __nss_configure_lookup(const char *db, const char *s) {}
int debugging = 0; /* Tell me what's going on */
int doabort = 0; /* When debugging, do an abort on errors */
int dofork = 1; /* fork? */
+int createdsocket = 0; /* Did I create the socket or systemd did it for me? */
rpcblist_ptr list_rbl; /* A list of version 3/4 rpcbind services */
@@ -445,6 +446,7 @@ init_transport(struct netconfig *nconf)
memset(&sun, 0, sizeof sun);
sun.sun_family = AF_LOCAL;
unlink(_PATH_RPCBINDSOCK);
+ createdsocket = 1; /* We are now in the process of creating the unix socket */
strcpy(sun.sun_path, _PATH_RPCBINDSOCK);
addrlen = SUN_LEN(&sun);
sa = (struct sockaddr *)&sun;
@@ -846,7 +848,8 @@ static void
terminate(int dummy /*__unused*/)
{
close(rpcbindlockfd);
- unlink(_PATH_RPCBINDSOCK);
+ if(createdsocket)
+ unlink(_PATH_RPCBINDSOCK);
unlink(RPCBINDDLOCK);
#ifdef WARMSTART
write_warmstart(); /* Dump yourself */
--
1.8.5.6

View File

@ -0,0 +1,82 @@
From d5dace219953c45d26ae42db238052b68540649a Mon Sep 17 00:00:00 2001
From: Olaf Kirch <okir@suse.de>
Date: Fri, 30 Oct 2015 10:18:20 -0400
Subject: [PATCH 2/4] Fix memory corruption in PMAP_CALLIT code
- A PMAP_CALLIT call comes in on IPv4 UDP
- rpcbind duplicates the caller's address to a netbuf and stores it in
FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
with a size of 16 bytes
- rpcbind forwards the call to the local service, receives a reply
- when processing the reply, it does this in xprt_set_caller:
xprt->xp_rtaddr = *FINFO[0].caller_addr
It sends out the reply, and then frees the netbuf caller_addr and
caller_addr.buf.
However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
to memory region A, which is free.
- When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
be called, which will set xp_rtaddr to the client's address.
It will reuse the buffer inside xp_rtaddr, ie it will write a
sockaddr_in to region A
Some time down the road, an incoming TCP connection is accepted,
allocating a fresh SVCXPRT. The memory region A is inside the
new SVCXPRT
- While processing the TCP call, another UDP call comes in, again
overwriting region A with the client's address
- TCP client closes connection. In svc_destroy, we now trip over
the garbage left in region A
We ran into the case where a commercial scanner was triggering
occasional rpcbind segfaults. The core file that was captured showed
a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
Signed-off-by: Olaf Kirch <okir@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index ff9ce6b..4ae93f1 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds)
return (ncallbacks_found);
}
+/*
+ * This is really a helper function defined in libtirpc,
+ * but unfortunately, it hasn't been exported yet.
+ */
+static struct netbuf *
+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
+{
+ if (nb->len != len) {
+ if (nb->len)
+ mem_free(nb->buf, nb->len);
+ nb->buf = mem_alloc(len);
+ if (nb->buf == NULL)
+ return NULL;
+
+ nb->maxlen = nb->len = len;
+ }
+ memcpy(nb->buf, ptr, len);
+ return nb;
+}
+
static void
xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
{
+ const struct netbuf *caller = fi->caller_addr;
u_int32_t *xidp;
- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
xidp = __rpcb_get_dg_xidp(xprt);
*xidp = fi->caller_xid;
}
--
1.8.5.6

View File

@ -0,0 +1,29 @@
From de47f6323d8fb20feefee21d0195cf0529151e04 Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Thu, 17 Sep 2015 15:57:35 -0400
Subject: [PATCH 1/4] security.c: removed warning
src/security.c:100:8: warning: implicit declaration of function 'xlog'
[-Wimplicit-function-declaration]
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/security.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/security.c b/src/security.c
index 0c9453f..c54ce26 100644
--- a/src/security.c
+++ b/src/security.c
@@ -17,6 +17,8 @@
#include <syslog.h>
#include <netdb.h>
+#include "xlog.h"
+
/*
* XXX for special case checks in check_callit.
*/
--
1.8.5.6

View File

@ -1,8 +1,42 @@
From e97a3d42704ac83453cc85d09ed48eb9755696a5 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Fri, 19 Feb 2016 15:55:38 +0100
Subject: [PATCH 1/1] rpcbind and libtirpc are both using poll in svc_run(),
but rpcbind used the old svc_fdset interface for this. This limits the
possible connections to 1024, while both could handle much more. rpcbind is
now accessing directly the svc_pollfd data of libtirpc.
Signed-off-by: Thorsten Kukuk <kukuk@thkukuk.de>
---
src/rpcb_svc_com.c | 48 ++++++++++++++++--------------------------------
1 file changed, 16 insertions(+), 32 deletions(-)
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index ff9ce6b..d675eda 100644
index 22d6c84..148fe42 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -1097,35 +1097,28 @@ netbuffree(struct netbuf *ap)
@@ -536,10 +536,6 @@ create_rmtcall_fd(struct netconfig *nconf)
rmttail->next = rmt;
rmttail = rmt;
}
- /* XXX not threadsafe */
- if (fd > svc_maxfd)
- svc_maxfd = fd;
- FD_SET(fd, &svc_fdset);
return (fd);
}
@@ -1056,9 +1052,6 @@ free_slot_by_index(int index)
fi = &FINFO[index];
if (fi->flag & FINFO_ACTIVE) {
netbuffree(fi->caller_addr);
- /* XXX may be too big, but can't access xprt array here */
- if (fi->forward_fd >= svc_maxfd)
- svc_maxfd--;
free(fi->uaddr);
fi->flag &= ~FINFO_ACTIVE;
rpcb_rmtcalls--;
@@ -1097,35 +1090,28 @@ netbuffree(struct netbuf *ap)
}
@ -38,8 +72,7 @@ index ff9ce6b..d675eda 100644
+
+ if (svc_max_pollfd == 0 && svc_pollfd == NULL)
+ return;
- switch (poll_ret = poll(pollfds, nfds, 30 * 1000)) {
+
+
+ for (i = 0; i < svc_max_pollfd; ++i)
+ {
@ -47,12 +80,13 @@ index ff9ce6b..d675eda 100644
+ my_pollfd[i].events = svc_pollfd[i].events;
+ my_pollfd[i].revents = 0;
+ }
+
- switch (poll_ret = poll(pollfds, nfds, 30 * 1000)) {
+ switch (poll_ret = poll(my_pollfd, svc_max_pollfd, 30 * 1000)) {
case -1:
/*
* We ignore all errors, continuing with the assumption
@@ -1133,8 +1126,6 @@ my_svc_run()
@@ -1133,8 +1119,6 @@ my_svc_run()
* other outside event) and not caused by poll().
*/
case 0:
@ -61,7 +95,7 @@ index ff9ce6b..d675eda 100644
continue;
default:
/*
@@ -1144,10 +1135,10 @@ my_svc_run()
@@ -1144,10 +1128,10 @@ my_svc_run()
* don't call svc_getreq_poll. Otherwise, there
* must be another so we must call svc_getreq_poll.
*/
@ -74,3 +108,6 @@ index ff9ce6b..d675eda 100644
}
}
}
--
1.8.5.6

View File

@ -0,0 +1,21 @@
The init_transport changes broke rmtcall forwarding. Fix it.
---
src/rpcbind.c | 4 ++++
1 file changed, 4 insertions(+)
Index: rpcbind-0.2.1_rc4/src/rpcbind.c
===================================================================
--- rpcbind-0.2.1_rc4.orig/src/rpcbind.c
+++ rpcbind-0.2.1_rc4/src/rpcbind.c
@@ -837,6 +837,10 @@ init_transports_systemd()
rpcbind_log_error("unable to create transport for socket fd %d", fd);
exit(1);
}
+
+ if (nconf->nc_semantics == NC_TPI_CLTS && create_rmtcall_fd(nconf) < 0) {
+ rpcbind_log_error("unable to create rmtcall fd for %s", nconf->nc_netid);
+ }
}
if (nc_handle)

View File

@ -0,0 +1,52 @@
De-emphasize the -h option and refer people to systemd instead
---
man/rpcbind.8 | 34 ++++++++++++++--------------------
1 file changed, 14 insertions(+), 20 deletions(-)
Index: rpcbind-0.2.1_rc4/man/rpcbind.8
===================================================================
--- rpcbind-0.2.1_rc4.orig/man/rpcbind.8
+++ rpcbind-0.2.1_rc4/man/rpcbind.8
@@ -86,27 +86,21 @@ checks are shown in detail.
Do not fork and become a background process.
.It Fl h
Specify specific IP addresses to bind to for UDP requests.
-This option
-may be specified multiple times and is typically necessary when running
-on a multi-homed host.
-If no
-.Fl h
-option is specified,
-.Nm
-will bind to
-.Dv INADDR_ANY ,
-which could lead to problems on a multi-homed host due to
+This option may be specified multiple times and can be used to
+restrict the interfaces rpcbind will respond to.
+Note that when
.Nm
-returning a UDP packet from a different IP address than it was
-sent to.
-Note that when specifying IP addresses with
-.Fl h ,
-.Nm
-will automatically add
-.Li 127.0.0.1
-and if IPv6 is enabled,
-.Li ::1
-to the list.
+is controlled via systemd's socket activation,
+the
+.Fl h
+option is ignored. In this case, you need to edit
+the
+.Nm ListenStream
+and
+.Nm ListenDgram
+definitions in
+.Nm /usr/lib/systemd/system/rpcbind.socket
+instead.
.It Fl i
.Dq Insecure
mode.

View File

@ -1,3 +1,29 @@
-------------------------------------------------------------------
Fri Feb 19 16:00:46 CET 2016 - kukuk@suse.de
- Add 0006-don-t-use-svc_fdset.patch: don't use the svc_fdset
interface for libtirpc, which is limited to 1024 connections.
-------------------------------------------------------------------
Fri Feb 12 16:18:30 CET 2016 - kukuk@suse.de
- Sync with current git:
- Replace 0002-revert-auth.patch with
0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
- Add 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
to fix problems with activation via sockets by systemd
- Replace 0032-CVE-2015-7236.patch with
0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
- Add 0005-security.c-removed-warning.patch to fix compiler warnings
- Temporary remove 099-poll.patch
-------------------------------------------------------------------
Wed Jan 27 15:08:00 CET 2016 - kukuk@suse.de
- Disable 0030-systemd-fix-rmtcall.patch, needs the other disabled
patches.
- Submit for SLE12SP2 [FATE#320393]
-------------------------------------------------------------------
Tue Nov 17 14:20:28 CET 2015 - kukuk@suse.de
@ -5,11 +31,30 @@ Tue Nov 17 14:20:28 CET 2015 - kukuk@suse.de
with libtirpc 1.0.1
(http://sourceforge.net/p/libtirpc/mailman/message/34585439/)
-------------------------------------------------------------------
Mon Sep 21 13:51:41 UTC 2015 - okir@suse.com
- Add patch 0032-CVE-2015-7236.patch to fix a segfault on certain
remote scans [CVE-2015-7236, bsc#940191, bsc#946204]
-------------------------------------------------------------------
Mon Jul 27 08:27:14 UTC 2015 - okir@suse.com
- Document how to restrict addresses that rpcbind will listen on
[bsc#935102]
Added 0031-rpcbind-manpage.patch
-------------------------------------------------------------------
Tue Jul 14 16:52:03 CEST 2015 - kukuk@suse.de
- Add 099-poll.patch: use libtirpc with poll() implementation
-------------------------------------------------------------------
Wed May 27 08:38:26 UTC 2015 - okir@suse.com
- Add patch 0030-systemd-fix-rmtcall.patch to fix rmtcall
forwarding (bnc#932423)
-------------------------------------------------------------------
Thu Apr 30 09:36:21 CEST 2015 - kukuk@suse.de

View File

@ -1,7 +1,7 @@
#
# spec file for package rpcbind
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -36,13 +36,18 @@ BuildRequires: pkgconfig(libsystemd-daemon)
PreReq: %fillup_prereq
Requires(pre): /usr/sbin/useradd
Patch1: 0001-systemd-unit-files.patch
Patch2: 0002-revert-auth.patch
Patch2: 0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
Patch3: 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
Patch4: 0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
Patch5: 0005-security.c-removed-warning.patch
Patch6: 0006-don-t-use-svc_fdset.patch
Patch8: 0008-First-part-of-init_transport-refactoring.patch
Patch9: 0009-init_transport-move-the-registration-code-into-a-sep.patch
Patch10: 0010-Fix-the-behavior-when-specifying-the-h-option.patch
Patch11: 0011-Clean-up-the-way-we-handle-the-h-option-in-init_tran.patch
Patch14: 0014-When-using-systemd-redirect-syslog-calls-to-the-syst.patch
Patch99: 099-poll.patch
Patch30: 0030-systemd-fix-rmtcall.patch
Patch31: 0031-rpcbind-manpage.patch
%define statefile /var/lib/portmap.state
%{?systemd_requires}
@ -59,13 +64,18 @@ regards to portmap.
%setup -q
cp %{SOURCE4} .
%patch1 -p1
%patch2 -p1 -R
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
#%patch8 -p1
#%patch9 -p1
#%patch10 -p1
#%patch11 -p1
#%patch14 -p1
%patch99 -p1
#%patch30 -p1
%patch31 -p1
%build
autoreconf -fiv