Accepting request 360916 from network

1 OBS-URL: https://build.opensuse.org/request/show/360916 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpcbind?expand=0&rev=48
2016-02-25 20:43:07 +00:00 · 2016-02-25 20:43:07 +00:00 · 83e835b604
commit 83e835b604
parent fd5139c215 1abcad9219
10 changed files with 379 additions and 47 deletions
--- a/0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
+++ b/0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
@ -0,0 +1,40 @@
 From 9194122389f2a56b1cd1f935e64307e2e963c2da Mon Sep 17 00:00:00 2001
 From: Steve Dickson <steved@redhat.com>
 Date: Mon, 2 Nov 2015 17:05:18 -0500
 Subject: [PATCH 3/4] handle_reply: Don't use the xp_auth pointer directly
 In the latest libtirpc version to access the xp_auth
 one must use the SVC_XP_AUTH macro. To be backwards
 compatible a couple ifdefs were added to use the
 macro when it exists.
 Signed-off-by: Steve Dickson <steved@redhat.com>
 ---
 src/rpcb_svc_com.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
 index 4ae93f1..22d6c84 100644
 --- a/src/rpcb_svc_com.c
 +++ b/src/rpcb_svc_com.c
@@ -1295,10 +1295,17 @@ handle_reply(int fd, SVCXPRT *xprt)
 	a.rmt_localvers = fi->versnum;
 	xprt_set_caller(xprt, fi);
 +#if defined(SVC_XP_AUTH)
 +	SVC_XP_AUTH(xprt) = svc_auth_none;
 +#else 
 	xprt->xp_auth = &svc_auth_none;
 +#endif
 	svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a);
 +#if !defined(SVC_XP_AUTH)
 	SVCAUTH_DESTROY(xprt->xp_auth);
 	xprt->xp_auth = NULL;
 +#endif
 +
 done:
 	if (buffer)
 		free(buffer);
 -- 
 1.8.5.6
--- a/0002-revert-auth.patch
+++ b/0002-revert-auth.patch
@ -1,35 +0,0 @@
 commit 86036582c001e99075f4d74cb3829df39f2a9ddf
 Author: Frank Hirtz <fhirtz@redhat.com>
 Date:   Tue Oct 23 11:38:20 2012 -0400
    rpcbind is "swallowing" broadcast RPC replies
    If xp_auth is NULL, the transport routines will not send
    the reply. This patch fixes that problem.
    Signed-off-by: Steve Dickson <steved@redhat.com>
 diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
 index 5bb9a44..f6bd6bd 100644
 --- a/src/rpcb_svc_com.c
 +++ b/src/rpcb_svc_com.c
@@ -1227,6 +1227,8 @@ send_svcsyserr(SVCXPRT *xprt, struct finfo *fi)
 	return;
 }
 +extern SVCAUTH svc_auth_none;
 +
 static void
 handle_reply(int fd, SVCXPRT *xprt)
 {
@@ -1293,7 +1295,10 @@ handle_reply(int fd, SVCXPRT *xprt)
 	a.rmt_localvers = fi->versnum;
 	xprt_set_caller(xprt, fi);
 +	xprt->xp_auth = &svc_auth_none;
 	svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a);
 +	SVCAUTH_DESTROY(xprt->xp_auth);
 +	xprt->xp_auth = NULL;
 done:
 	if (buffer)
 		free(buffer);
--- a/0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
+++ b/0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
@ -0,0 +1,51 @@
 From 3a664b1b5a310df39bd0f325b0edb1deb31c2249 Mon Sep 17 00:00:00 2001
 From: Laurent Bigonville <bigon@bigon.be>
 Date: Wed, 18 Nov 2015 14:34:26 -0500
 Subject: [PATCH] Delete the unix socket only if we have created it
 From: Laurent Bigonville <bigon@bigon.be>
 If systemd has created the unix socket on our behalf, we shouldn't try
 to delete it.
 https://bugzilla.redhat.com/show_bug.cgi?id=1279076
 Signed-off-by: Laurent Bigonville <bigon@bigon.be
 Signed-off-by: Steve Dickson <steved@redhat.com>
 ---
 src/rpcbind.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/src/rpcbind.c b/src/rpcbind.c
 index 045daa1..c4265cd 100644
 --- a/src/rpcbind.c
 +++ b/src/rpcbind.c
@@ -87,6 +87,7 @@ static inline void __nss_configure_lookup(const char *db, const char *s) {}
 int debugging = 0;	/* Tell me what's going on */
 int doabort = 0;	/* When debugging, do an abort on errors */
 int dofork = 1;		/* fork? */
 +int createdsocket = 0;  /* Did I create the socket or systemd did it for me? */
 rpcblist_ptr list_rbl;	/* A list of version 3/4 rpcbind services */
@@ -445,6 +446,7 @@ init_transport(struct netconfig *nconf)
 		memset(&sun, 0, sizeof sun);
 		sun.sun_family = AF_LOCAL;
 		unlink(_PATH_RPCBINDSOCK);
 +		createdsocket = 1; /* We are now in the process of creating the unix socket */
 		strcpy(sun.sun_path, _PATH_RPCBINDSOCK);
 		addrlen = SUN_LEN(&sun);
 		sa = (struct sockaddr *)&sun;
@@ -846,7 +848,8 @@ static void
 terminate(int dummy /*__unused*/)
 {
 	close(rpcbindlockfd);
 -	unlink(_PATH_RPCBINDSOCK);
 +	if(createdsocket)
 +		unlink(_PATH_RPCBINDSOCK);
 	unlink(RPCBINDDLOCK);
 #ifdef WARMSTART
 	write_warmstart();	/* Dump yourself */
 -- 
 1.8.5.6
--- a/0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
+++ b/0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
@ -0,0 +1,82 @@
 From d5dace219953c45d26ae42db238052b68540649a Mon Sep 17 00:00:00 2001
 From: Olaf Kirch <okir@suse.de>
 Date: Fri, 30 Oct 2015 10:18:20 -0400
 Subject: [PATCH 2/4] Fix memory corruption in PMAP_CALLIT code
 - A PMAP_CALLIT call comes in on IPv4 UDP
 - rpcbind duplicates the caller's address to a netbuf and stores it in
   FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
   with a size of 16 bytes
 - rpcbind forwards the call to the local service, receives a reply
 - when processing the reply, it does this in xprt_set_caller:
    xprt->xp_rtaddr = *FINFO[0].caller_addr
   It sends out the reply, and then frees the netbuf caller_addr and
   caller_addr.buf.
   However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
   to memory region A, which is free.
 - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
   be called, which will set xp_rtaddr to the client's address.
   It will reuse the buffer inside xp_rtaddr, ie it will write a
   sockaddr_in to region A
 Some time down the road, an incoming TCP connection is accepted,
 allocating a fresh SVCXPRT. The memory region A is inside the
 new SVCXPRT
 - While processing the TCP call, another UDP call comes in, again
   overwriting region A with the client's address
 - TCP client closes connection. In svc_destroy, we now trip over
   the garbage left in region A
 We ran into the case where a commercial scanner was triggering
 occasional rpcbind segfaults. The core file that was captured showed
 a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
 Signed-off-by: Olaf Kirch <okir@suse.de>
 Signed-off-by: Steve Dickson <steved@redhat.com>
 ---
 src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)
 diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
 index ff9ce6b..4ae93f1 100644
 --- a/src/rpcb_svc_com.c
 +++ b/src/rpcb_svc_com.c
@@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds)
 	return (ncallbacks_found);
 }
 +/*
 + * This is really a helper function defined in libtirpc, 
 + * but unfortunately, it hasn't been exported yet.
 + */
 +static struct netbuf *
 +__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
 +{
 +	if (nb->len != len) {
 +		if (nb->len)
 +			mem_free(nb->buf, nb->len);
 +		nb->buf = mem_alloc(len);
 +		if (nb->buf == NULL)
 +			return NULL;
 +
 +		nb->maxlen = nb->len = len;
 +	}
 +	memcpy(nb->buf, ptr, len);
 +	return nb;
 +}
 +
 static void
 xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
 {
 +	const struct netbuf *caller = fi->caller_addr;
 	u_int32_t *xidp;
 -	*(svc_getrpccaller(xprt)) = *(fi->caller_addr);
 +	__rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
 	xidp = __rpcb_get_dg_xidp(xprt);
 	*xidp = fi->caller_xid;
 }
 -- 
 1.8.5.6
--- a/0005-security.c-removed-warning.patch
+++ b/0005-security.c-removed-warning.patch
@ -0,0 +1,29 @@
 From de47f6323d8fb20feefee21d0195cf0529151e04 Mon Sep 17 00:00:00 2001
 From: Steve Dickson <steved@redhat.com>
 Date: Thu, 17 Sep 2015 15:57:35 -0400
 Subject: [PATCH 1/4] security.c: removed warning
 src/security.c:100:8: warning: implicit declaration of function 'xlog'
 [-Wimplicit-function-declaration]
 Signed-off-by: Steve Dickson <steved@redhat.com>
 ---
 src/security.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/src/security.c b/src/security.c
 index 0c9453f..c54ce26 100644
 --- a/src/security.c
 +++ b/src/security.c
@@ -17,6 +17,8 @@
 #include <syslog.h>
 #include <netdb.h>
 +#include "xlog.h"
 +
 /*
  * XXX for special case checks in check_callit.
  */
 -- 
 1.8.5.6
--- a/0006-don-t-use-svc_fdset.patch
+++ b/0006-don-t-use-svc_fdset.patch
@ -1,8 +1,42 @@
 From e97a3d42704ac83453cc85d09ed48eb9755696a5 Mon Sep 17 00:00:00 2001
 From: Thorsten Kukuk <kukuk@thkukuk.de>
 Date: Fri, 19 Feb 2016 15:55:38 +0100
 Subject: [PATCH 1/1] rpcbind and libtirpc are both using poll in svc_run(),
 but rpcbind used the old svc_fdset interface for this. This limits the
 possible connections to 1024, while both could handle much more. rpcbind is
 now accessing directly the svc_pollfd data of libtirpc.
 Signed-off-by: Thorsten Kukuk <kukuk@thkukuk.de>
 ---
 src/rpcb_svc_com.c | 48 ++++++++++++++++--------------------------------
 1 file changed, 16 insertions(+), 32 deletions(-)
 diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
-index ff9ce6b..d675eda 100644
+index 22d6c84..148fe42 100644
 --- a/src/rpcb_svc_com.c
 +++ b/src/rpcb_svc_com.c
-@@ -1097,35 +1097,28 @@ netbuffree(struct netbuf *ap)
+@@ -536,10 +536,6 @@ create_rmtcall_fd(struct netconfig *nconf)
 		rmttail->next = rmt;
 		rmttail = rmt;
 	}
 -	/* XXX not threadsafe */
 -	if (fd > svc_maxfd)
 -		svc_maxfd = fd;
 -	FD_SET(fd, &svc_fdset);
 	return (fd);
 }
@@ -1056,9 +1052,6 @@ free_slot_by_index(int index)
 	fi = &FINFO[index];
 	if (fi->flag & FINFO_ACTIVE) {
 		netbuffree(fi->caller_addr);
 -		/* XXX may be too big, but can't access xprt array here */
 -		if (fi->forward_fd >= svc_maxfd)
 -			svc_maxfd--;
 		free(fi->uaddr);
 		fi->flag &= ~FINFO_ACTIVE;
 		rpcb_rmtcalls--;
@@ -1097,35 +1090,28 @@ netbuffree(struct netbuf *ap)
 }
@ -38,8 +72,7 @@ index ff9ce6b..d675eda 100644
 +
 +		if (svc_max_pollfd == 0 && svc_pollfd == NULL)
 +		  return;
- 
+
 -		switch (poll_ret = poll(pollfds, nfds, 30 * 1000)) {
 +
 +		for (i = 0; i < svc_max_pollfd; ++i)
 +		  {
@ -47,12 +80,13 @@ index ff9ce6b..d675eda 100644
 +		    my_pollfd[i].events = svc_pollfd[i].events;
 +		    my_pollfd[i].revents = 0;
 +		  }
-+
+ 
 -		switch (poll_ret = poll(pollfds, nfds, 30 * 1000)) {
 +		switch (poll_ret = poll(my_pollfd, svc_max_pollfd, 30 * 1000)) {
 		case -1:
 			/*
 			 * We ignore all errors, continuing with the assumption
-@@ -1133,8 +1126,6 @@ my_svc_run()
+@@ -1133,8 +1119,6 @@ my_svc_run()
 			 * other outside event) and not caused by poll().
 			 */
 		case 0:
@ -61,7 +95,7 @@ index ff9ce6b..d675eda 100644
 			continue;
 		default:
 			/*
-@@ -1144,10 +1135,10 @@ my_svc_run()
+@@ -1144,10 +1128,10 @@ my_svc_run()
 			 * don't call svc_getreq_poll.  Otherwise, there
 			 * must be another so we must call svc_getreq_poll.
 			 */
@ -74,3 +108,6 @@ index ff9ce6b..d675eda 100644
 		}
 	}
 }
 -- 
 1.8.5.6
--- a/0030-systemd-fix-rmtcall.patch
+++ b/0030-systemd-fix-rmtcall.patch
@ -0,0 +1,21 @@
 The init_transport changes broke rmtcall forwarding. Fix it.
 ---
 src/rpcbind.c |    4 ++++
 1 file changed, 4 insertions(+)
 Index: rpcbind-0.2.1_rc4/src/rpcbind.c
 ===================================================================
 --- rpcbind-0.2.1_rc4.orig/src/rpcbind.c
 +++ rpcbind-0.2.1_rc4/src/rpcbind.c
@@ -837,6 +837,10 @@ init_transports_systemd()
 			rpcbind_log_error("unable to create transport for socket fd %d", fd);
 			exit(1);
 		}
 +
 +		if (nconf->nc_semantics == NC_TPI_CLTS && create_rmtcall_fd(nconf) < 0) {
 +			rpcbind_log_error("unable to create rmtcall fd for %s", nconf->nc_netid);
 +		}
 	}
 	if (nc_handle)
--- a/0031-rpcbind-manpage.patch
+++ b/0031-rpcbind-manpage.patch
@ -0,0 +1,52 @@
 De-emphasize the -h option and refer people to systemd instead
 ---
 man/rpcbind.8 |   34 ++++++++++++++--------------------
 1 file changed, 14 insertions(+), 20 deletions(-)
 Index: rpcbind-0.2.1_rc4/man/rpcbind.8
 ===================================================================
 --- rpcbind-0.2.1_rc4.orig/man/rpcbind.8
 +++ rpcbind-0.2.1_rc4/man/rpcbind.8
@@ -86,27 +86,21 @@ checks are shown in detail.
 Do not fork and become a background process.
 .It Fl h
 Specify specific IP addresses to bind to for UDP requests.
 -This option
 -may be specified multiple times and is typically necessary when running
 -on a multi-homed host.
 -If no
 -.Fl h
 -option is specified,
 -.Nm
 -will bind to
 -.Dv INADDR_ANY ,
 -which could lead to problems on a multi-homed host due to
 +This option may be specified multiple times and can be used to
 +restrict the interfaces rpcbind will respond to.
 +Note that when
 .Nm
 -returning a UDP packet from a different IP address than it was
 -sent to.
 -Note that when specifying IP addresses with
 -.Fl h ,
 -.Nm
 -will automatically add
 -.Li 127.0.0.1
 -and if IPv6 is enabled,
 -.Li ::1
 -to the list.
 +is controlled via systemd's socket activation,
 +the
 +.Fl h
 +option is ignored. In this case, you need to edit
 +the
 +.Nm ListenStream
 +and
 +.Nm ListenDgram
 +definitions in
 +.Nm /usr/lib/systemd/system/rpcbind.socket
 +instead.
 .It Fl i
 .Dq Insecure
 mode.
--- a/rpcbind.changes
+++ b/rpcbind.changes
@ -1,3 +1,29 @@
 -------------------------------------------------------------------
 Fri Feb 19 16:00:46 CET 2016 - kukuk@suse.de
 - Add 0006-don-t-use-svc_fdset.patch: don't use the svc_fdset 
  interface for libtirpc, which is limited to 1024 connections.
 -------------------------------------------------------------------
 Fri Feb 12 16:18:30 CET 2016 - kukuk@suse.de
 - Sync with current git:
  - Replace 0002-revert-auth.patch with 
    0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
  - Add 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
    to fix problems with activation via sockets by systemd
  - Replace 0032-CVE-2015-7236.patch with 
    0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
  - Add 0005-security.c-removed-warning.patch to fix compiler warnings
 - Temporary remove 099-poll.patch
 -------------------------------------------------------------------
 Wed Jan 27 15:08:00 CET 2016 - kukuk@suse.de
 - Disable 0030-systemd-fix-rmtcall.patch, needs the other disabled
  patches. 
 - Submit for SLE12SP2 [FATE#320393]
 -------------------------------------------------------------------
 Tue Nov 17 14:20:28 CET 2015 - kukuk@suse.de
@ -5,11 +31,30 @@ Tue Nov 17 14:20:28 CET 2015 - kukuk@suse.de
  with libtirpc 1.0.1 
  (http://sourceforge.net/p/libtirpc/mailman/message/34585439/)
 -------------------------------------------------------------------
 Mon Sep 21 13:51:41 UTC 2015 - okir@suse.com
 - Add patch 0032-CVE-2015-7236.patch to fix a segfault on certain
  remote scans [CVE-2015-7236, bsc#940191, bsc#946204]
 -------------------------------------------------------------------
 Mon Jul 27 08:27:14 UTC 2015 - okir@suse.com
 - Document how to restrict addresses that rpcbind will listen on
  [bsc#935102]
  Added 0031-rpcbind-manpage.patch
 -------------------------------------------------------------------
 Tue Jul 14 16:52:03 CEST 2015 - kukuk@suse.de
 - Add 099-poll.patch: use libtirpc with poll() implementation
 -------------------------------------------------------------------
 Wed May 27 08:38:26 UTC 2015 - okir@suse.com
 - Add patch 0030-systemd-fix-rmtcall.patch to fix rmtcall
  forwarding (bnc#932423)
 -------------------------------------------------------------------
 Thu Apr 30 09:36:21 CEST 2015 - kukuk@suse.de
--- a/rpcbind.spec
+++ b/rpcbind.spec
@ -1,7 +1,7 @@
 #
 # spec file for package rpcbind
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -36,13 +36,18 @@ BuildRequires:  pkgconfig(libsystemd-daemon)
 PreReq:         %fillup_prereq
 Requires(pre):  /usr/sbin/useradd
 Patch1:         0001-systemd-unit-files.patch
-Patch2:         0002-revert-auth.patch
+Patch2:         0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
 Patch3:         0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
 Patch4:         0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
 Patch5:         0005-security.c-removed-warning.patch
 Patch6:         0006-don-t-use-svc_fdset.patch
 Patch8:         0008-First-part-of-init_transport-refactoring.patch
 Patch9:         0009-init_transport-move-the-registration-code-into-a-sep.patch
 Patch10:        0010-Fix-the-behavior-when-specifying-the-h-option.patch
 Patch11:        0011-Clean-up-the-way-we-handle-the-h-option-in-init_tran.patch
 Patch14:        0014-When-using-systemd-redirect-syslog-calls-to-the-syst.patch
-Patch99:        099-poll.patch
+Patch30:        0030-systemd-fix-rmtcall.patch
 Patch31:        0031-rpcbind-manpage.patch
 %define statefile /var/lib/portmap.state
 %{?systemd_requires}
@ -59,13 +64,18 @@ regards to portmap.
 %setup -q
 cp %{SOURCE4} .
 %patch1 -p1
-%patch2 -p1 -R
+%patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 #%patch8 -p1
 #%patch9 -p1
 #%patch10 -p1
 #%patch11 -p1
 #%patch14 -p1
-%patch99 -p1
+#%patch30 -p1
 %patch31 -p1
 %build
 autoreconf -fiv