pool/rpcbind
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 360916 from network

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/360916
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpcbind?expand=0&rev=48
This commit is contained in:
Dominique Leuenberger 2016-02-25 20:43:07 +00:00 committed by Git OBS Bridge
commit 83e835b604
10 changed files with 379 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch Normal file
View File

@ -0,0 +1,40 @@
From 9194122389f2a56b1cd1f935e64307e2e963c2da Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Mon, 2 Nov 2015 17:05:18 -0500
Subject: [PATCH 3/4] handle_reply: Don't use the xp_auth pointer directly
In the latest libtirpc version to access the xp_auth
one must use the SVC_XP_AUTH macro. To be backwards
compatible a couple ifdefs were added to use the
macro when it exists.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/rpcb_svc_com.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index 4ae93f1..22d6c84 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -1295,10 +1295,17 @@ handle_reply(int fd, SVCXPRT *xprt)
a.rmt_localvers = fi->versnum;
xprt_set_caller(xprt, fi);
+#if defined(SVC_XP_AUTH)
+ SVC_XP_AUTH(xprt) = svc_auth_none;
+#else
xprt->xp_auth = &svc_auth_none;
+#endif
svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a);
+#if !defined(SVC_XP_AUTH)
SVCAUTH_DESTROY(xprt->xp_auth);
xprt->xp_auth = NULL;
+#endif
+
done:
if (buffer)
free(buffer);
--
1.8.5.6

35
0002-revert-auth.patch
View File

@ -1,35 +0,0 @@
commit 86036582c001e99075f4d74cb3829df39f2a9ddf
Author: Frank Hirtz <fhirtz@redhat.com>
Date: Tue Oct 23 11:38:20 2012 -0400
rpcbind is "swallowing" broadcast RPC replies
If xp_auth is NULL, the transport routines will not send
the reply. This patch fixes that problem.
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index 5bb9a44..f6bd6bd 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -1227,6 +1227,8 @@ send_svcsyserr(SVCXPRT *xprt, struct finfo *fi)
return;
}
+extern SVCAUTH svc_auth_none;
+
static void
handle_reply(int fd, SVCXPRT *xprt)
{
@@ -1293,7 +1295,10 @@ handle_reply(int fd, SVCXPRT *xprt)
a.rmt_localvers = fi->versnum;
xprt_set_caller(xprt, fi);
+ xprt->xp_auth = &svc_auth_none;
svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a);
+ SVCAUTH_DESTROY(xprt->xp_auth);
+ xprt->xp_auth = NULL;
done:
if (buffer)
free(buffer);

51
0003-Delete-the-unix-socket-only-if-we-have-created-it.patch Normal file
View File

@ -0,0 +1,51 @@
From 3a664b1b5a310df39bd0f325b0edb1deb31c2249 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Wed, 18 Nov 2015 14:34:26 -0500
Subject: [PATCH] Delete the unix socket only if we have created it
From: Laurent Bigonville <bigon@bigon.be>
If systemd has created the unix socket on our behalf, we shouldn't try
to delete it.
https://bugzilla.redhat.com/show_bug.cgi?id=1279076
Signed-off-by: Laurent Bigonville <bigon@bigon.be
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/rpcbind.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/rpcbind.c b/src/rpcbind.c
index 045daa1..c4265cd 100644
--- a/src/rpcbind.c
+++ b/src/rpcbind.c
@@ -87,6 +87,7 @@ static inline void __nss_configure_lookup(const char *db, const char *s) {}
int debugging = 0; /* Tell me what's going on */
int doabort = 0; /* When debugging, do an abort on errors */
int dofork = 1; /* fork? */
+int createdsocket = 0; /* Did I create the socket or systemd did it for me? */
rpcblist_ptr list_rbl; /* A list of version 3/4 rpcbind services */
@@ -445,6 +446,7 @@ init_transport(struct netconfig *nconf)
memset(&sun, 0, sizeof sun);
sun.sun_family = AF_LOCAL;
unlink(_PATH_RPCBINDSOCK);
+ createdsocket = 1; /* We are now in the process of creating the unix socket */
strcpy(sun.sun_path, _PATH_RPCBINDSOCK);
addrlen = SUN_LEN(&sun);
sa = (struct sockaddr *)&sun;
@@ -846,7 +848,8 @@ static void
terminate(int dummy /*__unused*/)
{
close(rpcbindlockfd);
- unlink(_PATH_RPCBINDSOCK);
+ if(createdsocket)
+ unlink(_PATH_RPCBINDSOCK);
unlink(RPCBINDDLOCK);
#ifdef WARMSTART
write_warmstart(); /* Dump yourself */
--
1.8.5.6

82
0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch Normal file
View File

@ -0,0 +1,82 @@
From d5dace219953c45d26ae42db238052b68540649a Mon Sep 17 00:00:00 2001
From: Olaf Kirch <okir@suse.de>
Date: Fri, 30 Oct 2015 10:18:20 -0400
Subject: [PATCH 2/4] Fix memory corruption in PMAP_CALLIT code
- A PMAP_CALLIT call comes in on IPv4 UDP
- rpcbind duplicates the caller's address to a netbuf and stores it in
FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
with a size of 16 bytes
- rpcbind forwards the call to the local service, receives a reply
- when processing the reply, it does this in xprt_set_caller:
xprt->xp_rtaddr = *FINFO[0].caller_addr
It sends out the reply, and then frees the netbuf caller_addr and
caller_addr.buf.
However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
to memory region A, which is free.
- When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
be called, which will set xp_rtaddr to the client's address.
It will reuse the buffer inside xp_rtaddr, ie it will write a
sockaddr_in to region A
Some time down the road, an incoming TCP connection is accepted,
allocating a fresh SVCXPRT. The memory region A is inside the
new SVCXPRT
- While processing the TCP call, another UDP call comes in, again
overwriting region A with the client's address
- TCP client closes connection. In svc_destroy, we now trip over
the garbage left in region A
We ran into the case where a commercial scanner was triggering
occasional rpcbind segfaults. The core file that was captured showed
a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
Signed-off-by: Olaf Kirch <okir@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index ff9ce6b..4ae93f1 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds)
return (ncallbacks_found);
}
+/*
+ * This is really a helper function defined in libtirpc,
+ * but unfortunately, it hasn't been exported yet.
+ */
+static struct netbuf *
+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
+{
+ if (nb->len != len) {
+ if (nb->len)
+ mem_free(nb->buf, nb->len);
+ nb->buf = mem_alloc(len);
+ if (nb->buf == NULL)
+ return NULL;
+
+ nb->maxlen = nb->len = len;
+ }
+ memcpy(nb->buf, ptr, len);
+ return nb;
+}
+
static void
xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
{
+ const struct netbuf *caller = fi->caller_addr;
u_int32_t *xidp;
- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
xidp = __rpcb_get_dg_xidp(xprt);
*xidp = fi->caller_xid;
}
--
1.8.5.6

29
0005-security.c-removed-warning.patch Normal file
View File

@ -0,0 +1,29 @@
From de47f6323d8fb20feefee21d0195cf0529151e04 Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Thu, 17 Sep 2015 15:57:35 -0400
Subject: [PATCH 1/4] security.c: removed warning
src/security.c:100:8: warning: implicit declaration of function 'xlog'
[-Wimplicit-function-declaration]
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/security.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/security.c b/src/security.c
index 0c9453f..c54ce26 100644
--- a/src/security.c
+++ b/src/security.c
@@ -17,6 +17,8 @@
#include <syslog.h>
#include <netdb.h>
+#include "xlog.h"
+
/*
* XXX for special case checks in check_callit.
*/
--
1.8.5.6

51
099-poll.patch → 0006-don-t-use-svc_fdset.patch
View File

@ -1,8 +1,42 @@
From e97a3d42704ac83453cc85d09ed48eb9755696a5 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Fri, 19 Feb 2016 15:55:38 +0100
Subject: [PATCH 1/1] rpcbind and libtirpc are both using poll in svc_run(),
but rpcbind used the old svc_fdset interface for this. This limits the
possible connections to 1024, while both could handle much more. rpcbind is
now accessing directly the svc_pollfd data of libtirpc.
Signed-off-by: Thorsten Kukuk <kukuk@thkukuk.de>
---
src/rpcb_svc_com.c | 48 ++++++++++++++++--------------------------------
1 file changed, 16 insertions(+), 32 deletions(-)
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index ff9ce6b..d675eda 100644
index 22d6c84..148fe42 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -1097,35 +1097,28 @@ netbuffree(struct netbuf *ap)
@@ -536,10 +536,6 @@ create_rmtcall_fd(struct netconfig *nconf)
rmttail->next = rmt;
rmttail = rmt;
}
- /* XXX not threadsafe */
- if (fd > svc_maxfd)
- svc_maxfd = fd;
- FD_SET(fd, &svc_fdset);
return (fd);
}
@@ -1056,9 +1052,6 @@ free_slot_by_index(int index)
fi = &FINFO[index];
if (fi->flag & FINFO_ACTIVE) {
netbuffree(fi->caller_addr);
- /* XXX may be too big, but can't access xprt array here */
- if (fi->forward_fd >= svc_maxfd)
- svc_maxfd--;
free(fi->uaddr);
fi->flag &= ~FINFO_ACTIVE;
rpcb_rmtcalls--;
@@ -1097,35 +1090,28 @@ netbuffree(struct netbuf *ap)
}
@ -38,8 +72,7 @@ index ff9ce6b..d675eda 100644
+
+ if (svc_max_pollfd == 0 && svc_pollfd == NULL)
+ return;
- switch (poll_ret = poll(pollfds, nfds, 30 * 1000)) {
+
+
+ for (i = 0; i < svc_max_pollfd; ++i)
+ {
@ -47,12 +80,13 @@ index ff9ce6b..d675eda 100644
+ my_pollfd[i].events = svc_pollfd[i].events;
+ my_pollfd[i].revents = 0;
+ }
+
- switch (poll_ret = poll(pollfds, nfds, 30 * 1000)) {
+ switch (poll_ret = poll(my_pollfd, svc_max_pollfd, 30 * 1000)) {
case -1:
/*
* We ignore all errors, continuing with the assumption
@@ -1133,8 +1126,6 @@ my_svc_run()
@@ -1133,8 +1119,6 @@ my_svc_run()
* other outside event) and not caused by poll().
*/
case 0:
@ -61,7 +95,7 @@ index ff9ce6b..d675eda 100644
continue;
default:
/*
@@ -1144,10 +1135,10 @@ my_svc_run()
@@ -1144,10 +1128,10 @@ my_svc_run()
* don't call svc_getreq_poll. Otherwise, there
* must be another so we must call svc_getreq_poll.
*/
@ -74,3 +108,6 @@ index ff9ce6b..d675eda 100644
}
}
}
--
1.8.5.6

21
0030-systemd-fix-rmtcall.patch Normal file
View File

@ -0,0 +1,21 @@
The init_transport changes broke rmtcall forwarding. Fix it.
---
src/rpcbind.c | 4 ++++
1 file changed, 4 insertions(+)
Index: rpcbind-0.2.1_rc4/src/rpcbind.c
===================================================================
--- rpcbind-0.2.1_rc4.orig/src/rpcbind.c
+++ rpcbind-0.2.1_rc4/src/rpcbind.c
@@ -837,6 +837,10 @@ init_transports_systemd()
rpcbind_log_error("unable to create transport for socket fd %d", fd);
exit(1);
}
+
+ if (nconf->nc_semantics == NC_TPI_CLTS && create_rmtcall_fd(nconf) < 0) {
+ rpcbind_log_error("unable to create rmtcall fd for %s", nconf->nc_netid);
+ }
}
if (nc_handle)

52
0031-rpcbind-manpage.patch Normal file
View File

@ -0,0 +1,52 @@
De-emphasize the -h option and refer people to systemd instead
---
man/rpcbind.8 | 34 ++++++++++++++--------------------
1 file changed, 14 insertions(+), 20 deletions(-)
Index: rpcbind-0.2.1_rc4/man/rpcbind.8
===================================================================
--- rpcbind-0.2.1_rc4.orig/man/rpcbind.8
+++ rpcbind-0.2.1_rc4/man/rpcbind.8
@@ -86,27 +86,21 @@ checks are shown in detail.
Do not fork and become a background process.
.It Fl h
Specify specific IP addresses to bind to for UDP requests.
-This option
-may be specified multiple times and is typically necessary when running
-on a multi-homed host.
-If no
-.Fl h
-option is specified,
-.Nm
-will bind to
-.Dv INADDR_ANY ,
-which could lead to problems on a multi-homed host due to
+This option may be specified multiple times and can be used to
+restrict the interfaces rpcbind will respond to.
+Note that when
.Nm
-returning a UDP packet from a different IP address than it was
-sent to.
-Note that when specifying IP addresses with
-.Fl h ,
-.Nm
-will automatically add
-.Li 127.0.0.1
-and if IPv6 is enabled,
-.Li ::1
-to the list.
+is controlled via systemd's socket activation,
+the
+.Fl h
+option is ignored. In this case, you need to edit
+the
+.Nm ListenStream
+and
+.Nm ListenDgram
+definitions in
+.Nm /usr/lib/systemd/system/rpcbind.socket
+instead.
.It Fl i
.Dq Insecure
mode.

45
rpcbind.changes
View File

@ -1,3 +1,29 @@
-------------------------------------------------------------------
Fri Feb 19 16:00:46 CET 2016 - kukuk@suse.de
- Add 0006-don-t-use-svc_fdset.patch: don't use the svc_fdset
interface for libtirpc, which is limited to 1024 connections.
-------------------------------------------------------------------
Fri Feb 12 16:18:30 CET 2016 - kukuk@suse.de
- Sync with current git:
- Replace 0002-revert-auth.patch with
0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
- Add 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
to fix problems with activation via sockets by systemd
- Replace 0032-CVE-2015-7236.patch with
0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
- Add 0005-security.c-removed-warning.patch to fix compiler warnings
- Temporary remove 099-poll.patch
-------------------------------------------------------------------
Wed Jan 27 15:08:00 CET 2016 - kukuk@suse.de
- Disable 0030-systemd-fix-rmtcall.patch, needs the other disabled
patches.
- Submit for SLE12SP2 [FATE#320393]
-------------------------------------------------------------------
Tue Nov 17 14:20:28 CET 2015 - kukuk@suse.de
@ -5,11 +31,30 @@ Tue Nov 17 14:20:28 CET 2015 - kukuk@suse.de
with libtirpc 1.0.1
(http://sourceforge.net/p/libtirpc/mailman/message/34585439/)
-------------------------------------------------------------------
Mon Sep 21 13:51:41 UTC 2015 - okir@suse.com
- Add patch 0032-CVE-2015-7236.patch to fix a segfault on certain
remote scans [CVE-2015-7236, bsc#940191, bsc#946204]
-------------------------------------------------------------------
Mon Jul 27 08:27:14 UTC 2015 - okir@suse.com
- Document how to restrict addresses that rpcbind will listen on
[bsc#935102]
Added 0031-rpcbind-manpage.patch
-------------------------------------------------------------------
Tue Jul 14 16:52:03 CEST 2015 - kukuk@suse.de
- Add 099-poll.patch: use libtirpc with poll() implementation
-------------------------------------------------------------------
Wed May 27 08:38:26 UTC 2015 - okir@suse.com
- Add patch 0030-systemd-fix-rmtcall.patch to fix rmtcall
forwarding (bnc#932423)
-------------------------------------------------------------------
Thu Apr 30 09:36:21 CEST 2015 - kukuk@suse.de

20
rpcbind.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package rpcbind
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -36,13 +36,18 @@ BuildRequires: pkgconfig(libsystemd-daemon)
PreReq: %fillup_prereq
Requires(pre): /usr/sbin/useradd
Patch1: 0001-systemd-unit-files.patch
Patch2: 0002-revert-auth.patch
Patch2: 0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
Patch3: 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch
Patch4: 0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
Patch5: 0005-security.c-removed-warning.patch
Patch6: 0006-don-t-use-svc_fdset.patch
Patch8: 0008-First-part-of-init_transport-refactoring.patch
Patch9: 0009-init_transport-move-the-registration-code-into-a-sep.patch
Patch10: 0010-Fix-the-behavior-when-specifying-the-h-option.patch
Patch11: 0011-Clean-up-the-way-we-handle-the-h-option-in-init_tran.patch
Patch14: 0014-When-using-systemd-redirect-syslog-calls-to-the-syst.patch
Patch99: 099-poll.patch
Patch30: 0030-systemd-fix-rmtcall.patch
Patch31: 0031-rpcbind-manpage.patch
%define statefile /var/lib/portmap.state
%{?systemd_requires}
@ -59,13 +64,18 @@ regards to portmap.
%setup -q
cp %{SOURCE4} .
%patch1 -p1
%patch2 -p1 -R
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
#%patch8 -p1
#%patch9 -p1
#%patch10 -p1
#%patch11 -p1
#%patch14 -p1
%patch99 -p1
#%patch30 -p1
%patch31 -p1
%build
autoreconf -fiv